HPE Community
Operating System - HP-UX
1836458 Members
2777 Online
110101 Solutions
New Discussion

Re: Ideas....? No time to convert from NIS to LDAP

 
SOLVED
Go to solution
Angie_1
Regular Advisor

‎01-20-2005 11:10 AM

‎01-20-2005 11:10 AM

Ideas....? No time to convert from NIS to LDAP

We are going through Sarbanes preparation and found out that since NIS does not enforce password expiration and password character restrictions (example may be like a min. 6 char. long with a number), we are in need of a quick fix. We don't have time to go to LDAP with the time constraints of Sarbanes. We have thoughts of making it so the workstations check the local password instead. Problem would be if a user gets up to use a different workstation, and has changed that password, than its no longer synced.

Ideas?

Angie
0 Kudos
Reply
8 REPLIES 8
A. Clay Stephenson
Acclaimed Contributor

‎01-20-2005 01:04 PM

‎01-20-2005 01:04 PM

Solution

Re: Ideas....? No time to convert from NIS to LDAP

Actually your biggest problem with respect to NIS is not the password composition rules but rather the fact that a user can do a ypcat passwd and obtain the entire list of password hashes which can then be subjected to a dictionary attack (e.g. crack). Now, if your SOX auditors don't know this then it's rather simple to get NIS to adhere to any sort of composition rules you like. All you have to do is create your own yppasswd command or utility. The yppasswd library function makes this rather easy. I even done some versions that had an interface for a browser.
If it ain't broke, I can fix that.
Reply
A. Clay Stephenson
Acclaimed Contributor

‎01-20-2005 01:07 PM

‎01-20-2005 01:07 PM

Re: Ideas....? No time to convert from NIS to LDAP

Plan B.

Use one box for a master passwd server then use the rdist command to push the files under the trusted database (tcb/files/auth) out to a list of hosts. You would essentially make a script to change the passwd on this one box and then rdist could push the user's changed protected passwd entries out to the hosts. This too can be integrated into a browser based client.
If it ain't broke, I can fix that.
Reply
Angie_1
Regular Advisor

‎01-21-2005 04:03 AM

‎01-21-2005 04:03 AM

Re: Ideas....? No time to convert from NIS to LDAP

This solution sounds rather complicated. Can you go into a little more detail or is there any other solution thats more simple?

Thanks - Angie
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎01-21-2005 04:23 AM

‎01-21-2005 04:23 AM

Re: Ideas....? No time to convert from NIS to LDAP

Actually, NIS does support passwd expiration -- at least traditional aging -- but no version of NIS is gonna get past them SOX guys.

My Plan B is really your only practical plan unless you do LDAP or NIS+.

Suppose I want to change the passwd for mmouse. His protected entry is located in /tcb/files/auth/m/mmouse. After changing the passwd on the master server, you then create an rdist file that includes all the hosts you want to update and rdist will handle the rest. The man page for rdist shows an example of a dist file and this is very simple. You would also need a script to add new users and push the passwd entry and the tcb files out to the other hosts. None of this is very complicated scripting.
If it ain't broke, I can fix that.
Reply
Angie_1
Regular Advisor

‎01-21-2005 04:56 AM

‎01-21-2005 04:56 AM

Re: Ideas....? No time to convert from NIS to LDAP

We need not just passwd aging, but we need also passwd restriction in terms of a certain # of characters with numbers.

So if NIS can't do this, I may as well stop right there.

I think I should look at LDAP and scramble to get that setup.

Can you please shed some light on the complexity of moving from an NIS system to an LDAP server?

Thanks - Angie
0 Kudos
Reply
Michael D. Zorn
Regular Advisor

‎01-21-2005 06:32 AM

‎01-21-2005 06:32 AM

Re: Ideas....? No time to convert from NIS to LDAP

We're facing the same situation. We're running NIS, and that just won't do. Not only that, but NIS+ is going away.

Can you use the standard password system - the one that uses /etc/shadow? If you have a small number of workstations (less than a dozen or so), that might be the easiest way out.

At our place, they said that if we've got NIS, then we have to have sudo.

Depending on who's going to approve the system, you may have no choice but LDAP.

0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎01-21-2005 06:42 AM

‎01-21-2005 06:42 AM

Re: Ideas....? No time to convert from NIS to LDAP

Go to this link:

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA

It contains a reference to documentation. LDAP is not all that hard; it's just very different. My first migration (using nothing more than the documentation available for download from HP and Netscape) took about a week. Don't even think about deploying it until you can set up a sandbox network with a server and and two or three clients. Also, make certain that your applications will work with LDAP. The last thing that you want to do is get everything deployed only to find out that your legacy 10.20 application doesn't allow users to login.
If it ain't broke, I can fix that.
Reply
Angie_1
Regular Advisor

‎01-21-2005 06:50 AM

‎01-21-2005 06:50 AM

Re: Ideas....? No time to convert from NIS to LDAP

Well we have 160 NIS users. And these users are in an area that use different workstation, on all different shifts. So we can't just place them on one workstation permanently and have local passwd files.

What do you mean by being told that if you have NIS then you need to use Sudo? I didn't quite understand the reasoning behind that? How will using Sudo be a solution to NIS user accounts?

Indeed we may be looking at LDAP. I will go to the link below about LDAP. And yes would need to test the 10.20 apps. We are running out of time... and SOX is driving us all completely crazy.

Angie


We're facing the same situation. We're running NIS, and that just won't do. Not only that, but NIS+ is going away.

Can you use the standard password system - the one that uses /etc/shadow? If you have a small number of workstations (less than a dozen or so), that might be the easiest way out.

At our place, they said that if we've got NIS, then we have to have sudo.

Depending on who's going to approve the system, you may have no choice but LDAP.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.