HPE Community
Operating System - HP-UX
1751844 Members
5425 Online
108782 Solutions
New Discussion

ldapux 5.01 changing password

 
Robert Mach
Occasional Advisor

‎08-02-2012 09:10 AM

‎08-02-2012 09:10 AM

ldapux 5.01 changing password

Hello, 

 

we have implemented authentication and authorization using ldapux on hpux 11.31 of users against OpenLdap 2.4.23.

We have now troubles with password policy enforcement.

 

If using shadow attributes, we are not to neforce users connection with ssh to change the password.

 

When trying to set up password policy, we can't store the "cfgGlobalPolicyDN" attribute to uxprofile, does enyone has the proper shema that we coul import to OpenLdap?

 

The WORST problem we have is when user does run the passwd (or ldappasswd) command. The user password is properly changed, bud the password is stored in plaintext on the ldap direstory. Does anyone knows hot to force at least hashing?

 

pam.conf:

login auth required libpam_hpsec.so.1
login auth required libpam_authz.so.1
login auth sufficient libpam_unix.so.1
login auth required libpam_ldap.so.1 try_first_pass
su auth required libpam_hpsec.so.1 bypass_setaud
su auth required libpam_authz.so.1
su auth sufficient libpam_unix.so.1
su auth required libpam_ldap.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth required libpam_authz.so.1
dtlogin auth sufficient libpam_unix.so.1
dtlogin auth required libpam_ldap.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth required libpam_authz.so.1
dtaction auth sufficient libpam_unix.so.1
dtaction auth required libpam_ldap.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth required libpam_authz.so.1
ftp auth sufficient libpam_unix.so.1
ftp auth required libpam_ldap.so.1 try_first_pass
rcomds auth required libpam_hpsec.so.1
rcomds auth required libpam_authz.so.1
rcomds auth sufficient libpam_unix.so.1
rcomds auth required libpam_ldap.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth required libpam_authz.so.1
sshd auth sufficient libpam_unix.so.1
sshd auth required libpam_ldap.so.1 try_first_pass
OTHER auth required libpam_hpsec.so.1
OTHER auth required libpam_authz.so.1
OTHER auth sufficient libpam_unix.so.1
OTHER auth required libpam_ldap.so.1 try_first_pass
login account required libpam_hpsec.so.1
login account required libpam_authz.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1
su account required libpam_hpsec.so.1
su account required libpam_authz.so.1
su account sufficient libpam_unix.so.1
su account required libpam_ldap.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account required libpam_authz.so.1
dtlogin account sufficient libpam_unix.so.1
dtlogin account required libpam_ldap.so.1
dtaction account required libpam_hpsec.so.1
dtaction account required libpam_authz.so.1
dtaction account sufficient libpam_unix.so.1
dtaction account required libpam_ldap.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_ldap.so.1
ftp account required libpam_unix.so.1
rcomds account required libpam_hpsec.so.1
rcomds account required libpam_authz.so.1
rcomds account sufficient libpam_unix.so.1
rcomds account required libpam_ldap.so.1 rcommand
sshd account required libpam_hpsec.so.1
sshd account required libpam_authz.so.1
sshd account sufficient libpam_unix.so.1
sshd account required libpam_ldap.so.1 rcommand
OTHER account sufficient libpam_unix.so.1
OTHER account sufficient libpam_authz.so.1
OTHER account required libpam_ldap.so.1
login session required libpam_hpsec.so.1
login session required libpam_authz.so.1
login session sufficient libpam_unix.so.1
login session required libpam_ldap.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session required libpam_authz.so.1
dtlogin session sufficient libpam_unix.so.1
dtlogin session required libpam_ldap.so.1
ftp session required libpam_hpsec.so.1 bypass_limit_login bypass_umask bypass_nologin
ftp session required libpam_authz.so.1
ftp session sufficient libpam_unix.so.1
ftp session required libpam_ldap.so.1
rcomds session required libpam_hpsec.so.1 bypass_limit_login
rcomds session sufficient libpam_authz.so.1
rcomds session sufficient libpam_unix.so.1
rcomds session required libpam_ldap.so.1
sshd session required libpam_hpsec.so.1
sshd session required libpam_authz.so.1
sshd session sufficient libpam_unix.so.1
sshd session required libpam_ldap.so.1
OTHER session required libpam_hpsec.so.1
OTHER session required libpam_authz.so.1
OTHER session sufficient libpam_unix.so.1
OTHER session required libpam_ldap.so.1
login password required libpam_hpsec.so.1
login password sufficient libpam_authz.so.1
login password sufficient libpam_unix.so.1
login password required libpam_ldap.so.1 try_first_pass
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_authz.so.1
passwd password sufficient libpam_unix.so.1
passwd password required libpam_ldap.so.1 try_first_pass
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_unix.so.1
dtlogin password required libpam_ldap.so.1 try_first_pass
sshd password required libpam_hpsec.so.1
sshd password required libpam_authz.so.1
sshd password sufficient libpam_unix.so.1
sshd password required libpam_ldap.so.1 try_first_pass
OTHER password required libpam_hpsec.so.1
OTHER password required libpam_authz.so.1
OTHER password sufficient libpam_unix.so.1
OTHER password required libpam_ldap.so.1 try_first_pass

 

nsswitch.conf:

passwd: files [SUCCESS=return NOTFOUND=continue] ldap
group: files [SUCCESS=return NOTFOUND=continue] ldap
hosts: dns [NOTFOUND=return] files
ipnodes: dns [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files

 

pam_authz.policy

allow:unix_local_user
PAM_ACCT_EXPIRED:ldap_filter:(shadowexpire=0)
PAM_NEW_AUTHTOK_REQD:ldap_filter:(shadowlastchange=0)
allow:ldap_group:cn=nonprod,ou=hpuxservers,ou=systems,dc=itc,dc=cn

 

ldapux# /opt/ldapux/bin/ldapcfinfo -t passwd
INFO: CFI_CONFIG_SUCCESS:
"passwd" service appears properly configured for LDAP-UX operation.

0 Kudos
Reply
1 REPLY 1
Robert Mach
Occasional Advisor

‎08-02-2012 09:11 AM

‎08-02-2012 09:11 AM

Re: ldapux 5.01 changing password

Also when trying to change password, the policies set in /etc/default/security are not enforced... (the system is not in trusted mode)

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.