HPE Community
Operating System - HP-UX
1848876 Members
2451 Online
104038 Solutions
New Discussion

Re: ldap configuration

 
SOLVED
Go to solution
Medavie
Valued Contributor

‎10-24-2007 12:51 AM

‎10-24-2007 12:51 AM

ldap configuration

I am trying to configure hpux 11iv2 to use active directory on windows. I want it to only be used for the password, meaning that ad would take care of the password aging, password complexity and authentication. I prefer not to install Windows Services for Unix into the ad. It was not needed for RHEL4 intergration to ad. When I try to setup ldapux the setup tries to add stuff to the ad and I believe it is looking for a structure that SFU would have setup.
Can someone tell me if it is possible to setup ldapux for what I am trying to do?
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎10-24-2007 01:16 AM

‎10-24-2007 01:16 AM

Re: ldap configuration

Shalom,

ldapux does not work the same as openldap that is in use for Red Hat Linux. I've recently tried and failed to make this integration work.

I don't know what the issue is, but ldapux requires changes in the windows domain/ads controller that I apparently have not done properly.

I would suggest, though I have not tried it yet, the openldap client available from http://software.hp.com . You might find your red hat configuration file works in that instance with less effort.

We're still tyring to make ldapux work. I hope to try openldap soon.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Heironimus
Honored Contributor

‎10-24-2007 03:08 AM

‎10-24-2007 03:08 AM

Re: ldap configuration

If you're only validating passwords and not retrieving users or groups from AD you could probably use Kerberos instead. Since you don't need full ticket-based authentication you shouldn't need to do any configuration on the Windows side.
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎10-24-2007 03:30 AM

‎10-24-2007 03:30 AM

Re: ldap configuration

There are multitudes of reasons this does not work out of the box, but the biggest is that Microsoft does not want it to work.

Best bet is to implement either OpenLDAP or what we use, SunOne Directory Server. We support about 8K users with this solution, and authenticate all Unix (HP-UX, Solaris, RedHat, Irix, Suse, Fedcore, Ubuntu, etc...) with LDAP.

There is port of SunOne Directory Server which will run on HP-UX, RedHat, Sun, or Windows.

SunOne DS is 99.9% compatable with the old Netscape Directory Server. The LDAP-UX configuration wizard has settings built in for using a Netscape Directory Server.

The SunOne DS supports all of the rules we require for passwords, and if you run it on Solaris it has a NIS Gateway built in (automagic conversion of LDAP data -> NIS) for legacy systems.
Out of the box SunOne supports
- password length (min/max)
- password aging
- password locking on invalid attempts
- password history
We have a plug-in from Sun to add
- requirement UpperCase
- requirement LowerCase
- requirement Number
- requirement Special
- external dictionary and dictionary checking
Microsoft. When do you want a virus today?
0 Kudos
Reply
Medavie
Valued Contributor

‎10-24-2007 05:28 AM

‎10-24-2007 05:28 AM

Re: ldap configuration

Shannon, how did you get ldapux to work with Sun One. That is my biggest problem getting ldapux to work with something else.
0 Kudos
Reply
Don Mallory
Trusted Contributor

‎10-25-2007 12:04 AM

‎10-25-2007 12:04 AM

Solution

Re: ldap configuration

I have a perfectly working integration with LDAP-UX, MS AD, etc.

There are a few tricks to this. The first is that Microsoft MOSTLY follows the RFC 2307 LDAP POSIX spec, but ONLY by installing MS Services for UNIX for Windows. This is a bit of a problem.

The things that are being put in to the AD Schema by LDAP-UX upon setup are:

ldapuxprofile - a profile that is pulled by each host, and used to configure how MS maps the directory entries to NSS and the real world in UNIX.

DUAConfigProfile - schema added to allow for ldapuxprofile

I don't recall anything else being added, but all of this is in that ~200 page document. Really, read it. I'm not kidding. It covers a lot.

Next thing. MS doesn't actually grant logins via LDAP. It only provides the user and group info via the NIS services in MS SFU. So, that means that you still have to set up Kerberos.

This doc: DOC ID: PAMKKBAN00000983 - A Basic Step-by-Step Summary of Kerberos v5.1 Setup on HPUX platform.

A copy of which is at the link below:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163

Is the best reference for checking and configuring Kerberos. I actually worked with the author on backline support issues once. Very bright fellow.

There are a few really good people with lots of experience with this product, on HP backline support.

Check some of the other answers I've provided about LDAP-UX. It really does work, and work well once you figure it out.

Don
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.