topic Re: Nis plus and trusted systems in Operating System - HP-UX

Nis plus and trusted systems

Dean Johnson_10 — Mon, 01 Mar 2004 11:39:17 GMT

Hi

I have a client that requires single sign on to multiple HPUX 11.0 servers. Currently we use NIS
They also require set password length, set password history and account lock out after 3 invalid password attempts.
Are there any security patches that will enable this (I seem to remember seeing something for 11i but not 11.0) ?
Would NIS plus and trusted systems be the best bet and if so what is the admin overhead ?
Or does anyone know of a third party product that provides single sign on and most of the functionality of trusted systems ?

Thanks

Dean

Re: Nis plus and trusted systems

A. Clay Stephenson — Mon, 01 Mar 2004 11:48:24 GMT

There is nothing under NIS that will enable the features you want; also NIS (unlike NIS+) is absolutely imcompatible with a Trusted system.

NIS+ and trusted is a viable solution. As long as you are not one of those guys that have routines to edit passwd field directly via scripts, the conversion to trusted should be quite painless. The conversion to NIS+ requires a bit steeper learning curve and unfortunately in some ways your knowledge
of NIS may hurt you more than it helps --- it's that different. Conceptually they are similar but that is where the similarity ends.

The downside to NIS+ is that it is probably not a truly long-term solution. If I were you, I would take a hard look at LDAP.

Re: Nis plus and trusted systems

Bill Hassell — Mon, 01 Mar 2004 13:48:18 GMT

NIS and NIS+ are not long for this world...they are simply too unsecure and incompatible with the rest of the world and maintenance is indeed a big deal. An untrusted system cannot keep any password history or failed login attempts. Conerting 11.0 to Trusted and adding all the security patches will give you the controls you need. But LDAP is the only multi-system solution for the future although getting it to play among multiple platforms will be a challenge.

Re: Nis plus and trusted systems

Dean Johnson_10 — Tue, 02 Mar 2004 04:18:44 GMT

Thank you both for your valuable input. I will take a look at LDAP or try and get the client to move away from single sign on so that trusted systems can be implemented

Re: Nis plus and trusted systems

Robert Binkhorst — Tue, 02 Mar 2004 05:38:01 GMT

Hi,

To follow up on your interest in LDAP, take a look at these links for starters:
LDAP-UX integration:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA

Netscape directory server (LDAP server):
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4258CA

OpenLDAP server:
http://www.openldap.org/doc/admin21/index.html

Re: Nis plus and trusted systems

Dean Johnson_10 — Tue, 23 Mar 2004 08:46:30 GMT

If I move towards LDAP, would I still need to convert to trusted system and also does LDAP work ok with ServiceGuard ?

Re: Nis plus and trusted systems

Robert Binkhorst — Tue, 23 Mar 2004 09:56:38 GMT

Hi Dean,

You do not need to convert to a trusted system. That would probably make it more difficult. I have no experience with this though.

I've got systems running with LDAP and MC/SG, and have experienced no problems so far.

HTH,

Robert

Re: Nis plus and trusted systems

Dean Johnson_10 — Tue, 23 Mar 2004 10:33:56 GMT

Robert

Thanks for the quick response. Does LDAP (or the PAM plugin) provide "account lockout" after a configurable number of invalid login attempts ?

This is what I need to provide to the client along with single sign on capability - hence LDAP (for single sign on) and trusted systems (for the account lockout and other security features)

Regards

Dean

Re: Nis plus and trusted systems

Robert Binkhorst — Wed, 24 Mar 2004 01:28:15 GMT

Dean,

Yes, LDAP provides those things. They depend heavily on your implementation though, for instance: I know that the OpenLDAP server supports them, but the HP-UX ldap client doesn't AFAIK. Netscape directory service (iPlanet nowadays) might, I don't know.

Let us know what your conclusions are?

Cheers,

Robert