HPE Community
Operating System - HP-UX
1833828 Members
2289 Online
110063 Solutions
New Discussion

ldap and trusted systems

 
robert meredith_2
Occasional Advisor

‎07-17-2002 06:11 AM

‎07-17-2002 06:11 AM

ldap and trusted systems

We are looking at using ldap to manage our user dtatbase but the seems to be a fundamental flaw with it:

a) LDAP is not compatible with HP trusted systems.
b) Thus we must have a normal /etc/passwd file.
c) The root user password must be local to the machine.
d) Thus we have to have the encrypted password of the root user in /etc/passwd readable by all.

Am I missing something? Can we set the permissions of the password file to 400 after implementing ldap?
Will ldap do password aging, password disabling etc like our current trusted systems?

Cheers

Rob
0 Kudos
Reply
6 REPLIES 6
Steve Steel
Honored Contributor

‎07-17-2002 06:36 AM

‎07-17-2002 06:36 AM

Re: ldap and trusted systems

Hi

it is supposed to work but nobody is sure how.

There is a documentation update request in.

HP has release a HP-UX Secure Shell product available at www.software.hp.com. Tested with the ldap-ux product and it worked fine.
Try the HP product version and see if it works for you.


http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA

This may be an alternative or wait for the documentation clarity

This is documented in README-LdapUxClient

Password Expiration
-------------------
* Login allows users to login in with accounts with expired passwords
when PAM_UNIX precedes PAM_LDAP in /etc/pam.conf.

* Expired passwords cannot be updated during login and cannot be
modified with the "passwd" command when using an iPlanet Directory
Server
or other server that strictly prevents users with expired passwords
from
freely searching the directory. When using iPlanet Directory
Server,
expired passwords must be directly updated by ldappasswd,
ldapmodify,
or ldapentry.


1. Enable password expiration (global) for the Directory Server

console -> Directory Server ->
Configuration -> Data -> Password Expiration ->
Password Expires after # of days

2. Individual POSIX user password expiration can be controlled
by attribute "passwordexpirationtime". Changes to LDAP-UX
Integration version 3 to implement properly.


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Edward Finneran
Advisor

‎07-18-2002 12:17 PM

‎07-18-2002 12:17 PM

Re: ldap and trusted systems

Rob, you've hit the nail on the head.

When we pressed HP on this issue, with NIS+ being about the only other alternative offered, the long term plan we heard back from them was that some version of HP-UX after 11i would introduce a way to do a simple shadow password file, the way some other UNIXes do it, without all the trusted system overhead. Once that happens, they claim that HP-UX with that single feature turned on would then be compatible with LDAP, but potentially still not regular NIS (giving the edge to LDAP over NIS). It's a massive problem currently.
0 Kudos
Reply
Abhishek Lahiri_1
New Member

‎07-31-2002 11:40 AM

‎07-31-2002 11:40 AM

Re: ldap and trusted systems

No it does not.Trusted systems are not compatible with LDAP and HP has no plans to make them compatible. Sun on the other hand has released secure ldap client with solaris 9 and has a far better security mechanism than HP-UX.
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

‎08-19-2002 09:49 AM

‎08-19-2002 09:49 AM

Re: ldap and trusted systems

Rob and Abhishek are correct, LDAP-UX and Trusted systems are not supported together. I think the confusion is comming from the fact that LDAP-UX does support the password policy enforcement on the directory server, but is incompabile with enhanced password policy enforcement on the local host provided by Trusted Systems. This issue is being addressed by the LDAP-UX and Trusted Systems teams.

As to your question about setting the passwd file to 400, well it definitely can cause problems. However with some limitations, it might function for you.

Roughly, if you want to set /etc/passwd to 400, then what you also need to do is store duplicate account information for the /etc/passwd users in the LDAP directory (without their passwords.) That way, non priviledged applications that need account information for the /etc/passwd entries can discover it, but through LDAP.

The above procedure is not supported by HP and HP is not responsible for any adverse effects it may cause.

Bob


0 Kudos
Reply
robert meredith_2
Occasional Advisor

‎08-27-2002 01:30 AM

‎08-27-2002 01:30 AM

Re: ldap and trusted systems

Well

I have to say this is pretty lousy!!

A summary is:
If you want to use LDAP with HP-UX you have to have an encrypted password entry for root visible to any user on the system.

Hmmmmmmm!!!!
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

‎09-11-2002 12:28 PM

‎09-11-2002 12:28 PM

Re: ldap and trusted systems

Hmm. With the "poor man's" version of trusted systems that I described above (/etc/passwd set to 400) then root password need not be visible to anyone. Commands like login run as root, and thus can read the /etc/passwd file.

Bob
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.