HPE Community
Operating System - HP-UX
1833667 Members
3682 Online
110062 Solutions
New Discussion

LDAP authentication

 
SOLVED
Go to solution
Pepe Jimenez Muñoz
Frequent Advisor

‎08-10-2004 06:27 PM

‎08-10-2004 06:27 PM

LDAP authentication

Hi,

we want to authenticate all our HP-UX systems users with LDAP (Netscape Directory Server 6.11)and LDAP-UX products, but, some users have access to one system and not to other systems, other users have access to all systems....

¿ how can I get separate the users in the directory ? ... and each system see a user subgroup of the full directory.

THANKS
ppviso
0 Kudos
Reply
2 REPLIES 2
Doug Lamoureux_2
Valued Contributor

‎08-25-2004 11:36 AM

‎08-25-2004 11:36 AM

Solution

Re: LDAP authentication

There are a few options for restricting access when using ldap-ux and Netscape Directory Server:

1 â disable_uid_range

In the LDAP-UX client configuration file (ldapux_client.conf) there is a variable called disable_uid_range that allow you to set the uidnumbers (or range of numbers) that will not be retrieved from the LDAP Directory. This would need to be configured on each system.

For example:
- Admins have uidnumbers between 1000 and 5000
- Users of sysA have uidnumners between 5001 and 10000
- Users of sysB have uidnumbers between 10001 and 15000

(Assuming admins are allowed to login to both systems)

On sysA the disable_uid_range would look like:
disable_uid_range 0-999,10001-999999

On sysB the disable_uid_range would look like:
disable_uid_range 0-999,5001-10000,15000-99999

Of course this is a simplistic example and requires a process for uidnumbers creation.

2 â Use PAM_AUTHZ

With LDAP-UX there is a PAM authorization module that allows you to restrict access to the system based on user/netgroup information in the local /etc/passwd file (uses the same syntax as NIS +/-@).

Using the above example, except we have 3 Netgroups:

AdminNetGroup: AdminUser1â ¦AdminUserX
SysANetGroup: User1â ¦UserX AND AdmiinNetGroup
SysBNetGroup: UserX+1â ¦.UserY AND AdminNetGroup

After configuring PAM_AUTHZ in /etc/pam.conf add the following to the end of the /etc/passwd file:

SysA:
+@SysANetGroup
SysB:
+@SysBNetGroup


3 - Search Descriptors

Use a modified search descriptor in the LDAP-UX configuration profile. Using search descriptors is pretty flexible so it will depend on your configuration. Here is one example:

Add an attribute "host" to every users object that idetifies the host(s) that user can login to. This is a multivalued attribute so you can add multiple "hosts".

If you want to allow a user (admin) to login to all hosts add the value "ALL" to the host attribute. You will need to create a custom profile for each ldap-ux host. Modify the passwd and pam search descriptor as follows (replacing HOSTNAME with your ldap-ux client):

servicesearchdescriptor: passwd:ou=people,dc=acme,dc=com?sub?
(&(objectclass=posixaccount)(|(host=ALL)(host=))

servicesearchdescriptor: pam:ou=people,dc=acme,dc=com?sub?
(&(objectclass=posixaccount)(|(host=ALL)(host=))


Hope this
Reply
Pepe Jimenez Muñoz
Frequent Advisor

‎08-30-2004 10:32 PM

‎08-30-2004 10:32 PM

Re: LDAP authentication

Thanks Doug,

I think that the 3 option is fine for me.

ppviso
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.