- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: LDAP-UX with Openldap and Shadow attribs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2009 10:57 AM
тАО01-12-2009 10:57 AM
I have added the shadowaccount objectclass and the shadow attributes (shadowLastChange, shadowWarning, etc) to the posixaccount entries.
What changes do I need to make to have the OS/LDAP-UX read and enforce these attributes?
Thanks for the suggestions!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2009 11:40 AM
тАО01-12-2009 11:40 AM
Re: LDAP-UX with Openldap and Shadow attribs
HP's open ldap implementation is very limited.
It only works with a webm web based interface and is not fully featured.
LDAP-UX is buggy but should be able to do the job.
Docs:
http://docs.hp.com/en/5992-2330/ch07s03.html
http://docs.hp.com/en/J4269-90069/ch01s01.html
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-12-2009 12:01 PM
тАО01-12-2009 12:01 PM
Re: LDAP-UX with Openldap and Shadow attribs
Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-13-2009 06:03 AM
тАО01-13-2009 06:03 AM
Re: LDAP-UX with Openldap and Shadow attribs
I believe that I need to use openldap's password policy overlay:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=5&manpath=OpenLDAP+2.3-Release&format=html
(I don't know yet if this will work with HP-UX).
In addition, other methods of enforcing access can be used with ldap queries in a pam_authz policy:
http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf
We'll see what comes of this. Does anyone know if the openldap password policy overlay *works with LDAP-UX and pam in HP-UX?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-14-2009 09:54 AM
тАО01-14-2009 09:54 AM
SolutionYou're on the right track.
The design goal of LDAP-UX and most other LDAP/OS integration products is to use the directory server itself as the security policy enforcement point, instead of the OS itself. The shadow schema was defined to support a legacy mechanism (at least it's a legacy when it comes to LDAP integration), which would be used by the OS if the directory server didn't support its own security policy. However, there aren't any other LDAP-enabled applications that support the shadow schema, so there isn't much value in it since it doesn't provide for a uniformly enforced policy.
However, when the LDAP server itself supports the security policy, such as with slapo-policy, then all LDAP-enabled applications that authenticate to the directory server will defer to the centralized policy. LDAP-UX supports the password policy control 1.3.6.1.4.1.42.2.27.8.5.1. This control tells the directory server to return password policy details, such as "password expired". And my understanding is that newer versions of OpenLDAP do support this control. Refer to http://www.openldap.org/lists/openldap-software/200606/msg00027.html for a short discussion.
So the short answer is, it should just work if you configure pam_ldap in your pam.conf file and configure policy support in OpenLDAP.
To your other point, you're also right at looking into pam_authz. It's not as simple as just using pam_ldap. It does exactly opposite of what I said above. pam_authz enforces the security policy on the OS, instead of the directory server. However it has at least two useful reasons for this. First, it can be used to supplement your current policy with a host-specific policy, such as defining a select set of users that are allowed to login to the host. For example, you can use an LDAP filter in the pam_authz.policy file to write a rule such as, "Only allow users that are active employees and work for the production team to login to this host". Assuming you have information in your directory server that represents that state, it might look something like "allow:ldap_filter:(&(employeeState=active)(team=production))".
The other useful reason for using pam_authz is when you want to manage user account information centrally, but you don't want to use the LDAP server for authentication. A simple example of this might be when you use ssh authentication keys for users. In this case, if a user uses his private key to authentication, sshd will never call the PAM authentication API, which means that pam_ldap will never try to bind (authtenticate) to the directory server. However, sshd does call the PAM account management API, which means that pam_authz can be used to evaluate the security policy in the directory server, even if the authentication process does not occur on the directory server.
Hope that helps!
Regards,
Bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-14-2009 10:08 AM
тАО01-14-2009 10:08 AM
Re: LDAP-UX with Openldap and Shadow attribs
This whole experience has been an adventure to say the least...
You input clarifies this greatly and confirms some of what I have been hoping to be true all along.
Unfortunately I have been working with the OpenLDAP as distributed with the Internet Express which was not compiled with the ppolicy module (go figure)! I have been attempting to recompile from source (the README.hp file in /opt/iexpress/openldap/) however this is terribly annoying and I don't think I have the patience to see it through.
What I may do is end up running the directory on linux as my time for this project is pretty much up. It was pretty cool though, I had a nice ServiceGuard package rigged up with TLS and everything...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-14-2009 11:38 AM
тАО01-14-2009 11:38 AM
Re: LDAP-UX with Openldap and Shadow attribs
I'll notify our IE team of the issue with OpenLDAP. But I do have a quick question...
Have you considering using the Red Hat Directory server provided with HP-UX? It's an enterprise-class and fully supported directory server, that's similar to the Sun Java DS (came from the original Netscape/iPlanet alliance). RHDS version 8.0 released in Nov08. It should be easy to install and do a quick prototype. Licensing is no charge for internal use (suites OS management very well) and competitive pricing for extranet use.
Bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-14-2009 12:07 PM
тАО01-14-2009 12:07 PM
Re: LDAP-UX with Openldap and Shadow attribs
I have initially thought of using RHDS, however to be honest all of the requirements scared me off a little. I am looking to use this directory in a clustered environment and openldap (on the surface!) seemed to be simpler to setup as I could make it highly available and avoid worrying about replication.
If I use RHDS, then I would want to setup an additional cluster member as a replication partner. Is that difficult to do? However, now that I think about it it may be a better idea because I could throw my printers in there too... Hmm...
Regardless, at this point if I can't get any solution working in the next day or two I'll be sticking with local users for this project.
I appreciate all of your help with this. I'll return to RHDS this afternoon and load it on a test box to see if it will be easy enough to configure.
Ben
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-15-2009 09:17 PM
тАО01-15-2009 09:17 PM
Re: LDAP-UX with Openldap and Shadow attribs
I did try out RHDS and while it has everything I need, I don't have time to learn how to implement it as well as I would like right now.
Thanks for the help!
Ben
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-15-2009 09:23 PM
тАО01-15-2009 09:23 PM
Re: LDAP-UX with Openldap and Shadow attribs
Obviously the more complete and recommended solution is to use RHDS or AD.