HPE Community
Operating System - HP-UX
1753856 Members
7434 Online
108809 Solutions
New Discussion юеВ

Re: LDAP and AD

 
SOLVED
Go to solution
Tom Bate
Advisor

тАО03-01-2007 03:53 AM

тАО03-01-2007 03:53 AM

LDAP and AD

We have 180+ Windows Servers all in a single AD domain and have five HP-UX servers, on the same LAN. Currently we log into the UNIX boxes as system and su to root. Recently auditors have decided that it would be more secure if we all had our own logins for the UNIX boxes and then su - it would be easier to see who did what when the ballon goes up.

The idea is to use LDAP and AD so that we can use the same accounts that we use on the Windows servers. Given that there is no NIS or LDAP on the HP-UX installations and that we still want to have the root and system logins controlled locally, can anyone tell me what I need to install and where?

For example, do I need to install NIS client onto the servers?

Any help/advice will be gratefully received.
0 Kudos
11 REPLIES 11
hpuxrox
Respected Contributor

тАО03-01-2007 04:05 AM

тАО03-01-2007 04:05 AM

Re: LDAP and AD


vintela
0 Kudos
Tom Bate
Advisor

тАО03-01-2007 04:17 AM

тАО03-01-2007 04:17 AM

Re: LDAP and AD

Took a look at http://www.vintela.com/ and you are right, this would be good. However since we are only concerned with a dozen accounts on five servers, I can't see there being any money in the budget.

How do I sort it with just existing Windows/HP-UX software? If it is too much of a challenge, we would concider just installing LDAP on the UNIX servers and not integrating it into AD.
0 Kudos
Heironimus
Honored Contributor

тАО03-01-2007 04:24 AM

тАО03-01-2007 04:24 AM

Re: LDAP and AD

You need LDAP-UX, and optionally the Kerberos client. LDAP-UX is supported by HP for use with Active Directory. The LDAP-UX release notes document what other components it relies on.

LDAP logins can coexist with local accounts, as long as you don't have any conflicts. You'll probably need to extend your AD schema to include the POSIX account attributes.
0 Kudos
Steve Post
Trusted Contributor

тАО03-02-2007 12:20 AM

тАО03-02-2007 12:20 AM

Re: LDAP and AD

If you don't have that many people (5?), why don't you just make the accounts?

It would seem a lot faster. Since you would not be installing anything on the box.

I never log in as root. I don't seem to miss it. I su after I'm in.

I can't find the man page on it, but you can make is so people cannot telnet in as user root on the box.
Make a file called /etc/securetty
Put the word "console" in it.
Now root can only log in from the console.

0 Kudos
Don Mallory
Trusted Contributor

тАО03-02-2007 12:22 AM

тАО03-02-2007 12:22 AM

Re: LDAP and AD

Heironimus is mostly right.

If you are using an AD and want to authenticate against it, you must use LDAP-UX, but Kerberos is not optional as it is the auth method that Windows AD uses.

There's a few components to this. I've done the same for similar reasons, but with more UX boxes.

Here's a couple of links to other answers I've given, all relating to this.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1026837

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163

It's worthwhile and works well, it's a little tricky to get it all together the first time.

Good luck.
0 Kudos
Heironimus
Honored Contributor

тАО03-02-2007 04:39 AM

тАО03-02-2007 04:39 AM

Re: LDAP and AD

AD allows LDAP simple binds, you don't have to use Kerberos. The main problem is that AD domain controllers are almost never configured to use SSL (the usual explanation is that it's too hard), so LDAP auth against AD with a simple bind sends the password over the wire in clear. Kerberos avoids that and potentially provides better integration, but requires some setup on the AD side. In either case, doing it "right" requires that the AD admins understand the environment and do some relatively advanced work, so most places do it wrong instead and just configure apps to do simple binds on 389 or 3268.
0 Kudos
Tom Bate
Advisor

тАО03-05-2007 03:30 AM

тАО03-05-2007 03:30 AM

Re: LDAP and AD

Steve,

Thanks for the help. We already have the word "console" in /etc/securetty but everyone uses the system account to log in before su -. I think you are right though - 12 accounts on 5 servers is a bit of a molehill for the mountain that LDAP and AD seems to be.

Heironimus/Don,

Thanks too for the advice. As I say above, I think AD/Kerberos might be too much bother for such a small number of accounts. Is LDAP for HP-UX still the best thing to be looking at? I heard that NIS was on its way out (and doesn't allow pasword shadowing).

Cheers.
0 Kudos
A. Clay Stephenson
Acclaimed Contributor

тАО03-05-2007 03:45 AM

тАО03-05-2007 03:45 AM

Solution

Re: LDAP and AD

NIS is probably not on its way out (whatever the definition of that phrase is) but it's more secure cousin, NIS+, is definitely on its way out. NIS does not support shadowed passwords and thus is very insecure in today's environment but it is still widely used in those (rare) environments where high security is not a concern. While NIS can be used with strong passwords, the password hashes are visible to anyone so that NIS is very vulnerable to password guessing attacks.

Your least evil, secure approach is LDAP.

If it ain't broke, I can fix that.
0 Kudos
Heironimus
Honored Contributor

тАО03-05-2007 04:06 AM

тАО03-05-2007 04:06 AM

Re: LDAP and AD

NIS won't pass audit a lot of places, even for businesses that don't specifically have high security requirements.

The other options I see that don't involve spending money are LDAP-UX, a home-grown sync script, or manual management. The number of machines involved make manual account setup reasonable, but you'll want to be careful about keeping UIDs and GIDs consistent to reduce your headaches.

If you go with manual account management you'll need to make sure you track growth in your environment. UNIX environments often grow slowly, so one day you might look around and realize you're manually handling accounts on 20-30 machines that got added one at a time over a few years.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.