cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP authentification on tru64

dom kris
Frequent Advisor

LDAP authentification on tru64

Hi,

I am looking at various solutions (non commercial) to centralise user management.
For the moment I only see two solution, NIS and LDAP.
However, I am unfamiliar with both technologies (I know the concepts but I don't have any 'hands-on' experience).
My preferred choice would be LDAP since our company already has an LDAP running.

The functionality we certainly would like is to be able to change passwords from a central point (root included) for the UX users, de-active/reactive users.
For the moment, our Tru64 have no enhanced security but might change in the future.

Also, how stable is the LDAP technology? Is it dependable? What happens when the LDAP server is down?

Any ideas or feedback appreciated.

Kris
7 REPLIES
Mobeen_1
Esteemed Contributor

Re: LDAP authentification on tru64

Hello Kris,

Firstly NIS is not the most secure as it passes stuff across the network in pretty open manner. If that were not enough it
stores the information in a database that is encrypted with a weak encryption scheme (crypt), at least by modern standards. If you implement it you are leaning on your firewall alone to protect you.

Then came NIS+ which Supports
better encryption standards. Passes network information fairly secure. Not a
bad choice, not the best choice.

LDAP may be the answer for most (certainly not all) companies.

In addition to this we also have a 3rd means of achieving what you are looking for, which is Kerberos.

Check this out on LDAP
http://www.openldap.org

regards
Mobeen
Ralf Puchner
Honored Contributor

Re: LDAP authentification on tru64

LDAP client functionality is included within 5.1B-1 or the IAS Kit.

openldap.org does not contain an LDAP client kit for Tru64. It will only help if looking for an ldap-server.

The ldap client implementation is quite stable and available since previous versions of the IAS kit. Have a look at it:
http://h30097.www3.hp.com/internet/osis.htm
Help() { FirstReadManual(urgently); Go_to_it;; }
dom kris
Frequent Advisor

Re: LDAP authentification on tru64

How does the LDAP actually work? I mean, I am guessing that all info from the /etc/passwd on /etc/group is 'pumped' in to the ldap db at some point.
but how does Tru64 handle this? Is the /etc/passwd still used? Can users still change their passwd with the 'passwd' cmd? Do you continually need to sync the /etc/passwd and the LDAP or is the password information removed from the /etc/passwd and linked to the ldap.

Kris

Ralf Puchner
Honored Contributor

Re: LDAP authentification on tru64

no the LDAP client module is a plugin (like the PAM modules within linux) and the Tru64 system send an request to the ldap database if the user was not found within the /etc/passwd file.

There is no "sync" mechanism, it is still a direct request to the LDAP server.


Help() { FirstReadManual(urgently); Go_to_it;; }
dom kris
Frequent Advisor

Re: LDAP authentification on tru64

So, for the 'root' user, the /etc/passwd is always used?
Ralf Puchner
Honored Contributor

Re: LDAP authentification on tru64

it make sense to configure the root user locally (a problem with ldap/network will lead to a login/admin problem). But you can also move it to the ldap side.
Help() { FirstReadManual(urgently); Go_to_it;; }
dom kris
Frequent Advisor

Re: LDAP authentification on tru64

Oke Ralph,

thanks for the info.
I don't think moving the root to the ldap will cause much a lot of problems since we will be using SSH to logon as root.
However, with the root in the ldap we can change centrally the password for root every x weeks.
I have been looking for a solution to change the root password automatically via a script, program or whatever but it seems nearly impossible. (wether or not it is a good practice, it's management imposed).

Thanks for the help.
IF you have any more suggestions, they are welcome!

Kris