HPE Community
Operating System - HP-UX
1753611 Members
6090 Online
108797 Solutions
New Discussion юеВ

Re: LDAP integration with HP-UX

 
SUDHAKAR_18
Trusted Contributor

тАО01-27-2010 03:23 AM

тАО01-27-2010 03:23 AM

LDAP integration with HP-UX

Hi Experts,

I want to impliment a windows 2008 server with LDAP to authenticate hp-ux servers and host name resolution. Also want to use the same for changing root password of all unix servers centrally.

How can i achieve this...
0 Kudos
Reply
5 REPLIES 5
Michal Kapalka (mikap)
Honored Contributor

тАО01-27-2010 03:37 AM

тАО01-27-2010 03:37 AM

Re: LDAP integration with HP-UX

hi,

check this link :

"Configuring Active Directory for HP-UX Integration"

http://www.docs.hp.com/en/J4269-90037/ch02s05.html


mikap
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО01-27-2010 05:37 AM

тАО01-27-2010 05:37 AM

Re: LDAP integration with HP-UX

Shalom,

The document is good but omits important issues.

This integration only works if the Windows Server is properly patched. So get with the Windows Server admin and see that this is taken care of before getting needlessly frustrated.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
SUDHAKAR_18
Trusted Contributor

тАО01-28-2010 03:33 AM

тАО01-28-2010 03:33 AM

Re: LDAP integration with HP-UX

Hi Experts,

Can i expect some more documents related. and how can i plan this integration ?
0 Kudos
Reply
Don Mallory
Trusted Contributor

тАО01-28-2010 06:52 AM

тАО01-28-2010 06:52 AM

Re: LDAP integration with HP-UX

I would not use a Windows AD as a central point for managing your root account.

You will need to review the PAM_kerberos and Kerberos client documentation as well. If you are using automounting at all, you should review the Enhancged AutoFS stuff. Also, LDAP enabled hosts allow any LDAP enabled user to authenticate against the host. This is a good thing. It however, does NOT check whether or not the user is AUTHORIZED to be on the host, for this, you need pam_authz, which installs with LDAP-UX.

Samba integration can also be a challenge, it depends on whether you use LDAP and essentially pass-through authentication to authenticate, or properly authenticate using Kerberos. In this case, review the CIFS Server / Kerberos integration docs. (under CIFS Server I believe on docs.hp.com)

Most of my responses are related to LDAP-UX integration with a Windows AD, please feel free to peruse.

For centralizing your root password changes, the challenge here is, you could have root come out of your AD, however, if for some reason your AD was unavailable (such as single user mode), you would not have the ability to log in.

Alternately, you could use a method of scripted change to the root password. This is generally frowned upon, as, with anything n security, anything that can be used for good, can also be used for evil. If you can change your passwords easily, so could an attacker.

On Linux, you can used stdin to set a p/w like this:

passwd root --stdin << EOL
mynewpw
mynewpw
EOL

But HPUX doesn't support this. PowerBroker or other similar tool might help.

You could also use an ugly sed script to force it in, but you would have to use a key based authentication model for delivering the script, such as a central UX host with root login privs, or a complex login as non-priv user (operator?), su to root and for the change. Or a pull script from a centralised location. Or a config management toolset such as cfengine. Here's a bunch of Open Source ones:

http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management_software

Personally, I think you should separate the requirements, centralising system account management vs. user account management and go from there.

Don




0 Kudos
Reply
SUDHAKAR_18
Trusted Contributor

тАО01-28-2010 05:40 PM

тАО01-28-2010 05:40 PM

Re: LDAP integration with HP-UX

Hi Don Millary,

Thanks a lot for valuable & brief suggestion.

Expecting more advice from Experts...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.