- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Ldap, trusted mode and custom apps
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2004 12:56 AM
10-05-2004 12:56 AM
We have an application that uses getprpwnam to lookup a users password and validate the password supplied matches. We want to convert to using LDAP to centralize our password management, as part of larger enterprise wide security/login process. The application fails to be able to validate the password when an LDAP user attempts to login.
I have written several simple programs using the getprpw... system calls, and they all still work, but they no longer return the encrypted password. These calls are nsswitch dependant, but none of them actully cause an LDAP lookup to occur.
We are using the latest LDAP-UX version, B.3.30, which provides trusted mode compatibility with LDAP, and have the latest LDAP (libpam) patch.
Any help would be appreciated.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2004 06:50 AM
10-05-2004 06:50 AM
Re: Ldap, trusted mode and custom apps
If you can identify the process id, you might be able to use tusc to gather information on the process.
http://hpux.connect.org.uk/hppd/hpux/Sysadmin/tusc-7.7/
A sniffer like ethereal or tcpdump can also give you some idea whats going on.
http://hpux.connect.org.uk/hppd/hpux/Gtk/ethereal-0.9.15/
Right now you don't know whether the issue is networking, a switch configuration or an actual problem with the HP LDAP release.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2004 09:04 AM
10-05-2004 09:04 AM
Re: Ldap, trusted mode and custom apps
Thanks for your response, but there is no error, no failing process, or LDAP problem.
The application calls the system call getprpwnam, uses the first 2 characters of the u_pwd field for the crypt seed, crypts the supplied password and compares them.
When the user is from LDAP, not /etc/passwd, the getprpwnam system call returns '*' as the encrypted password. As i'm sure you know, nothing crypts to '*'.
The real question is about validating trusted system passwords for LDAP users from custom applications. The user can login to the server using the LDAP password, but can't login via the application for the reason noted above.
The getprwp... system calls use nsswitch to determine the order and source, but don't return the same info for an LDAP match vs a passwd (files) match. If the calls are really LDAP complient (as trusted mode is supposed to be at this version of LDAP-UX), why don't they do an LDAP lookup just like a login does? A login actually causes a call to the LDAP server, but using getprpwnam does not.
Proper use of the getprpw... system calls seems to be a well guarded secret from past experience, and maybe I've found another case of that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2004 09:42 AM
10-05-2004 09:42 AM
Re: Ldap, trusted mode and custom apps
Also, unless the LDAP server is on the HP box in question tcpdump or ethereal should collect data on the network traffic.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-05-2004 11:39 AM
10-05-2004 11:39 AM
Re: Ldap, trusted mode and custom apps
I have only very limited experience on the LDAP products, but this is what I have found.
How is your LDAP-UX client configured to bind to your LDAP server ?
If "anonymous", for security reasons, LDAP server will not return anything for your getprprwent() queries.
Create a proxy user with ability to "search" and configure your LDAP-UX client to bind to the server using that user and give it a try again.
Let us know if this helps.
- Sundar.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2004 01:07 AM
10-06-2004 01:07 AM
Re: Ldap, trusted mode and custom apps
Thanks for the replies, but I don't believe I'm making my point.
LDAP is -configured and working-. LDAP users can login fine. It's our custom application that is unable to validate LDAP users. It's a programmatic issue with the 'C' system call getprpwnam not using LDAP. I am confidant there is no issue with the LDAP configuration.
Am I making a false assumption that the trusted system calls (getprpw...) are not LDAP compliant, even though trusted mode is supposed to be LDAP compliant? (rhetorical question, unless someone has the answer)
I'm interested in responses related to programing use of LDAP on a trusted system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2004 05:26 PM
10-06-2004 05:26 PM
SolutionIn short: Yes, your assumption that the getprpw* calls are actually 'nsswitchified' is incorrect. The latest version of LDAP-UX doesn't actually provide full backends for the prpw APIs, which would require defining new (HP-specific) schemas for the trusted mode account and password policy information.
Instead, the latest update allows the _co-existence_ of LDAP and TM. Essentially allowing them to be used at the same time. In order for this to work, and to support auditing LDAP users, the (local) TCB entries for LDAP users are created 'on-the-fly' at login time. The dynamically created entries only contain the minimal information to make existing commands and libraries continue to function. Specific to your situation, the password stored in the dynamically created TCB entry (and returned by your calls to getprpw{uid|nam|ent} is the fixed string "*". The end result is that entries in the TCB created for LDAP users will not allow authentication. Instead, it is expected that authentication occurs via PAM which will go down the pam_ldap path after the pam_unix->getprpwnam() auth fails.
Without knowing much about your application, I would recommend using PAM rather than directly checking the password in your application.
Hope this helps,
--Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2004 12:26 AM
10-07-2004 12:26 AM
Re: Ldap, trusted mode and custom apps
Thanks for the great answer. I suspected a situation like this may have been the case. I did notice that the TCB entries were being created after the first login.
FYI, I did not assume that getprpw... calls are nsswitchified, it states so in the man page:
"Additionally, all of these routines depend on the configuration of the Name Service Switch file, /etc/nsswitch.conf."
This response pretty well closes out the issue, but I'll leave the thread open a little longer.
Thanks,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2004 12:29 AM
10-07-2004 12:29 AM
Re: Ldap, trusted mode and custom apps
Any idea where I can find further details on how to continue on (beyond getprpwnam) and authenticate with pam_ldap, progamatically?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2004 09:37 PM
10-07-2004 09:37 PM
Re: Ldap, trusted mode and custom apps
Regarding the use of PAM, there are manpages that describe the interfaces (all linked off of pam(3)), but they're more of a reference than a guide on using the APIs.
I, personally, have found the Linux-PAM Application Developer's Guide to be a reasonable primer: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html. Note that there are slight differences between HP-UX PAM and Linux PAM, but they're close enough for most purposes. (PAM is an OpenGroup standard.) The major differences lie in a few helper routines that Linux provides that HP-UX does not.
As for writing to pam vs. pam_ldap: The intent is that your application use PAM, which abstracts away all the details of which actual module PAM is configured to use. If you want to ensure that your application only ever interfaces with the directory, then you can make sure that the pam.conf contains an entry specific to your application only calling out to LDAP.
Cheers,
--Ron