pam_ldap for user authentication only

Bhaskar Regmi · ‎11-30-2004

I am using pam_ldap for user authentication on Linux and Solaris boxes. I am still maintaining NIS for other services including user credentials(UID/GID pairs). Is there anyway to achieve the samething on HPUX using LDAP-UX Client services? My basedn is:

dn: ou=people,ou=intranet,dc=everestsol,dc=com

I do not want to migrate everything to LDAP directory.

Thanks

Bhaskar

Bob Neal-Joslin · ‎12-03-2004

Yes, you can, as long as you have an attribute in the LDAP directory that matches the account name in NIS. Typically this is the uid attribute.

For example, if you have an NIS entry...

joeuser:x:1234:20:Joe User,bld 6,555-1212:/home/joeuser:/usr/bin/sh

Then as long as you have an entry in the directory that also has "joeuser"...

dn: cn=Joe User,ou=people,ou-intranet,dc=everestsol,dc=com
objectclass: top
objectclass: persono
objectclass: organizationalPerson
objectclass: inetOrgPerson
sn: User
uid: Joe User
userPassword: test1234
cn: Joe User

You should be able to configure LDAP-UX to only use pam_ldap to perform authentication. To do this you would run the /opt/ldapux/config/setup/ Run configuration as normal. But when asked if you would like to do any special configuration, say yes. You'll need to specify a service search descriptor for the passwd service. Instead of (objectclass=posixAccount) you need to specify (uid=*) (assuming the uid attribute contains the account name.)

From there, you be sure you configure /etc/pam.conf to include libpam_ldap (as per the example in /etc/pam.ldap.) You don't need to configure /etc/nsswitch.conf with LDAP.

Hope that helps!

Bob Neal-Joslin · ‎12-06-2004

If you can't store the profile in the directory, it is possible to create one locally. Here's an example for this case.

Create /etc/opt/ldapux/ldapux_profile.ldif

example:

dn: cn=pam_only_profile,ou=intranet,dc=everestsol,dc=com
objectClass: top
objectClass: duaconfigprofile
cn: pam_only_profile
preferredserverlist: [ldaphostip]
servicesearchdescriptor: passwd:??(&(objectclass=person)(uid=*))
defaultsearchbase: ou=intranet,dc=everestsol,dc=com
authenticationMethod: simple

Execute /opt/ldapux/config/create_profile_cache

Restart ldapclient

/opt/ldapux/bin/ldapclientd -k
/opt/ldapux/bin/ldapclientd

Good luck, and post if you have questions.

Bob

Bhaskar Regmi · ‎12-07-2004

Thanks Bob for your valuable reply, But I have no luck yet with LDAP-UX config.

My ldap.conf for Solaris and Linux box is:

host ldap.everestsol.com
base ou=people,ou=intranet,dc=everestsol,dc=com
port 389
pam_login_attribute uid
pam_password crypt

Regards
Bhaskar

Shannon Petry · ‎12-07-2004

I have this working (somewhat) with a HP client to a SunOne directory server (which is Netscape DS6.1).

I followed pretty much verbatim the README file included with ldapux.

What is your Directory Server?

I have one issue on 11.23, which is that root can not authenticate now. (new thread starting for that one.)

Microsoft. When do you want a virus today?

Bhaskar Regmi · ‎12-07-2004

Client is hp-ux 11.00 and ldap server is iPlanet 5.0.

Shannon Petry · ‎12-07-2004

Ok, I had no difficulties with my setup, which is exactly what you are doing.

Configure the ldapux if you have not done so. Because it is configured, does not mean it's being used.

The entries in /etc/nsswitch.conf for groups and passwd should look like this.

passwd files ldap
group files ldap

All other services should be

service files nis

Is ldapux configured? If so, you are in the home stretch.

Regards,
Shannon

Microsoft. When do you want a virus today?

Bob Neal-Joslin · ‎12-07-2004

If you could attach a tar of the following configuration files to a reply, (or email me directly at bob_joslin@hp.com) then perhaps I could identify the problem.

/etc/pam.conf
/etc/nsswitch.conf
/etc/opt/ldapux/ldapclientd.conf
/etc/opt/ldapux/ldapux_client.conf
/etc/opt/ldapux/ldapux_profile.ldif

Bob Neal-Joslin · ‎12-09-2004

After further study of Bhaskar's situation it became clear there is one more requirement that I should have stated above. In order to to use only pam_ldap, the uidNumber (or any attribute that represents the users account number) must be stored in the directory entry.

I'll request the LDAP-UX team enhance the product to look for the account number from alternate repositories in pam_ldap.

Bob

Tanner_5 · ‎12-16-2004

I have a similar problem as Bhaskar Regmi. I'm trying to install an LDAP user authentication on HP-UX. My LDAP-server is running on a Debian Linux and I want to connect from a HP-UX B.11.11. I've already configured clients on Linux Tru64-UX, where I didn't had do install something like a Netscape directory server. Where can I declare that my LDAP-Server is running on a different machine? I think my pam.conf is correctly configured.

Can anybody help me?

Kind Regards,
Markus

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

pam_ldap for user authentication only

pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only

Re: pam_ldap for user authentication only