General
cancel
Showing results for 
Search instead for 
Did you mean: 

Re: synching unix and windows passwords

 
SOLVED
Go to solution
George_Dodds
Honored Contributor

synching unix and windows passwords

Just been told that due to SOX audit i have to enable some sort of password aging on my systems.

The problem is that we have windows frontend servers that use the unix backend servers and the user userid's and password need to be the same.

Is there an easy way for the unix password to be automatically changed when the windows password is changed?

I dont know if something like LDAP can do this.

Cheers

George

9 REPLIES 9
harry d brown jr
Honored Contributor
Solution

Re: synching unix and windows passwords

Yes, LDAP can do this for you and you can have the M$ activedirectory authenicate against LDAP.

http://docs.hp.com/en/J4269-90018/index.html

http://docs.hp.com/en/J4269-90012/index.html

http://docs.hp.com/en/J4269-90037/ch02s05.html

live free or die
harry d brown jr
Live Free or Die
Dwyane Everts_1
Honored Contributor

Re: synching unix and windows passwords

George,

I'm currently going through the same situation. SOX, what a pain, huh? The research I have done so far, indicates an integration between Active Directory (LDAP) and Unix/Linux is the best solution. This way, your Unix/Linux logins are authenticated against your AD environments. Password aging, disabling accounts, and synchronization is handled by AD. I haven't figured out all the nuts and bolts and "how-to's" yet, but this is the direction we are taking.

Dwyane
George_Dodds
Honored Contributor

Re: synching unix and windows passwords

Yup it's a major pain i'm part way through a migration and now this!

At least it means i do have some fresh build servers that i will be able to use to test this first.

Is anyone else having to do this because of SOX.

I think those two senators need a good slap ;)

Cheers

George
Steven E. Protter
Exalted Contributor

Re: synching unix and windows passwords

HP-UX can be integrated into an LDAP environment, or a Windows ADS environment.

Either way authentication of non system users will be handled by the rules of the centralized login server. This should satisfy the SOX requirements.

We have played with this but maintain two login systems, with HP-UX simply having the same rules as Windows using the /etc/default/security file.

I'm attaching mine. In our case the users make sure their passwords are the same on all systems, if they wish things to be that way. We are doing centralized login later this year.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
George_Dodds
Honored Contributor

Re: synching unix and windows passwords

The majority of our users have no shell access on our systems, the frontend just authenticates with the backend servers.

So i guess LDAP it is.
George_Dodds
Honored Contributor

Re: synching unix and windows passwords

Would it cause a problem if a minority of the users were not using ldap as one of the windows domain is NT so there is no AD on that one.
Andrew Cowan
Honored Contributor

Re: synching unix and windows passwords

BTW. George nobody seems to have pointed out that MS-AD is an LDAP with SASL authentication, some Kerberos, and a bit of proprietary stuff thrown in. The Samba people and others are doing a lot of work on extending the reach of AD compatability across all Unix/Linux platforms, so perhaps it will be worth waiting to see what free products emerge over the next few months.
Dwyane Everts_1
Honored Contributor

Re: synching unix and windows passwords

Andrew,

The unfortunate part of your statement is, those of us that have to be Sarbanes-Oxley (SOX) compliant, have to do so by Nov. of this year. We really don't have a few months to wait.

George,

I have a few people that refuse to upgrade to AD as well. We are going to create a trust between that domain and AD for network access, but that doesn't provide a password syncronization solution. Instead, they will have to maintain their own passwords until I can get management approval to force them into AD. The key here is the LDAP, without it, you can't really syncronize the systems without incurring a cost for some sort of identity management software, like HP Select Identity and Select Access (VERY costly!).

Dwyane
Andrew Cowan
Honored Contributor

Re: synching unix and windows passwords

Hi George,

Being based in the UK means that we are not subject to the same laws, therefore I know very little about the nuts and bolts of SOX compliance. The point I was trying to make is that there are centralised user management solutions such as Tivoli, MS-AD, NIS+, etc, and some of them are free and freely available. The bits that are lacking for the open source solutions are the nice tools to manage them, and that is what are being worked on at the moment. There could be nothing stopping you using Samba to synchronise with MS-AD, its just a bit new at the moment.