HPE Community
Operating System - HP-UX
1819866 Members
2747 Online
109607 Solutions
New Discussion юеВ

Re: Get hpux user info into AD for ldap

 
SOLVED
Go to solution
Medavie
Valued Contributor

тАО02-03-2009 10:30 AM

тАО02-03-2009 10:30 AM

Get hpux user info into AD for ldap

Currently we are trying to get ldapux and ad to work together. I have been able to use the migration scripts provided by HP to add a couple of "new" test accounts with the proper unix information attached to them, and they work. BUT we have not been able to get any account that was previously created in ad to connect to the hpux server using the windows ad. I get the following messages:

sshd[6585]: PAM_LDAP auth-bind got HP_LDAP_NOTFOUND
sshd[6585]: PAM_LDAP auth-bind failed!
sshd[6585]: PAM_LDAP pam_sm_authenticate: set bind status (13)
sshd[6585]: PAM_LDAP 2nd auth_bind returns 13
sshd[6585]: PAM_LDAP pam_sm_authenticate: returning 13

I know the proxy bind if functioning properally and am convinced that the accounts that were in already in ad need to have the unix information attached to them, just can not figure out how to get this done. The current accounts in ad can not be removed due to already having other credintals attached to them.

Has anyone seen this, fixed this, or know how to fix this?
0 Kudos
Reply
6 REPLIES 6
skt_skt
Honored Contributor

тАО02-03-2009 10:37 AM

тАО02-03-2009 10:37 AM

Re: Get hpux user info into AD for ldap

what version of HP-UX?
0 Kudos
Reply
Medavie
Valued Contributor

тАО02-03-2009 10:42 AM

тАО02-03-2009 10:42 AM

Re: Get hpux user info into AD for ldap

HPUX 11.31 ia64
ldapux 4.15.01
0 Kudos
Reply
Medavie
Valued Contributor

тАО02-04-2009 05:39 AM

тАО02-04-2009 05:39 AM

Re: Get hpux user info into AD for ldap

Does anyone know if it is even possible to modify windows ad entries to add the posix information to them with out deleting them from ad first? I am coming to the conclusion that ldapux is a limited version of ldap and therefor is limited in the way that it operates.
Please let me know if anyone has a method that works, I have tried many combinations of the ldap and ldapug commands with no success.
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

тАО02-04-2009 02:36 PM

тАО02-04-2009 02:36 PM

Solution

Re: Get hpux user info into AD for ldap

Hi Shane,

Do you have Windows 2003 R2 or 2008. Or do you have an older version? W 2K3 R2 and later include the posix schema by default. If you have an earlier version of Windows Server, you can install the MS SFU schema. Based on your comments about the migration "test" accounts working, it appears you do have the schema. So this should be a non-issue.

So there should be a couple of ways to do ammend existing accounts with Unix information. First, you can use ADSI edit on the AD server. ADSI edit allows you to add any attribute to any entry, as long as it is allowed by the objectclasses used in the entry. So you can add the uidNumber (or msSFU30uidNumber) attribute and the other Unix attributes directly to the user account. It also includes a tab in the users and groups properties editor that is dedicated to editing posix attributes. The second option is to use version B.04.15 or later of LDAP-UX. These versions of LDAP-UX include user and group management commands that allow you to edit Unix user and group entries. If you look at /opt/ldapux/bin/ldapugmod, you'll see it has a specific option (-O) that is specifically for the purpose of adding Unix account or group information to an account or group that doesn't already have this information.

Hope that helps!

Bob
Reply
eric roseme
Respected Contributor

тАО02-06-2009 08:35 AM

тАО02-06-2009 08:35 AM

Re: Get hpux user info into AD for ldap

Hi Shane,

I just finished a whitepaper called "Unified Login for HP CIFS Server, HP-UX,, and Windows 2003R2", where I show screen shots on how to set up Windows and HP-UX to store and retrieve POSIX IDs on the AD. Since I just finished it yesterday, it is not posted for external-HP access yet. If you want a copy, then email me - Eric Roseme at HP with all the dots and stuff.

Eric Roseme
0 Kudos
Reply
Medavie
Valued Contributor

тАО02-06-2009 12:33 PM

тАО02-06-2009 12:33 PM

Re: Get hpux user info into AD for ldap

Bob that worked like a charm, I had read the descriptions for the options but did not fully understand each of them. I had also tried many other different things to as well. Thank you for guiding me to the correct spot. Things now work perfectly.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.