HPE Community
Operating System - HP-UX
1823070 Members
3191 Online
109645 Solutions
New Discussion юеВ

LDAP-UX, eDirectory, PAM, Security policy Enforcement

 
Miroslav Trunec
New Member

тАО02-02-2009 12:03 PM

тАО02-02-2009 12:03 PM

LDAP-UX, eDirectory, PAM, Security policy Enforcement

Hello, I've been trying to set up LDAP-UX Client Services B.04.17 with eDirectory 8.8SP3 on my HP-UX 11.23 server.
The goal is to authenticate users against eDirectory using SSH and use eDirectory for setting up security policy. I'm able to authenticate using non-SSL, SSl and even using the proxy user. However if I want to enforce security policy I set up for LDAP users on eDirectory I get

PAM_AUTHZ: query daemon return failure status 7
error: PAM: User account has expired for testing from ...

the account is not expired as I'm able to login into eDirectory without any probles using iManager.
I've been following Administrator's Guide - Security policy Enforcement with Secure Shell ( SSH ) or r-command.

what am I doing wrong? help please!
Thank you,
M.
0 Kudos
Reply
3 REPLIES 3
Steven E. Protter
Exalted Contributor

тАО02-02-2009 02:04 PM

тАО02-02-2009 02:04 PM

Re: LDAP-UX, eDirectory, PAM, Security policy Enforcement

Shalom,

ssh has its own very secure technology for authentication.

To make it work with ADS or LDAP server, requires a recompile of ssh. Its possible but hairy.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

тАО02-04-2009 02:17 PM

тАО02-04-2009 02:17 PM

Re: LDAP-UX, eDirectory, PAM, Security policy Enforcement

Hi Miroslav,

PAM_AUTHZ hasn't been tested for password policy integration with eDirectory. I don't know if it would work or not. It's not clear to me what policy schema is used by version 8.8. Is your goal to be able to use SSH user authentication keys for authentication (skipping pam_ldap), and then use pam_authz to validate that the user's password and account have not expired?

As a first step, it would be helpful if you could provide additional details of your configuration. Some of the things I'd need to know would be the contents of the /etc/pam.conf file, /etc/opt/ldapux/pam_authz.policy file, /etc/opt/ldapux/ldapux_profile.ldif. Also, could you run "/opt/ldapux/bin/ldapcfinfo -t passwd" to verify that LDAP-UX thinks it is configured properly?

Since this is a lot of information and you may not want to share it publically, you're welcome to send it directly to me at bob_joslin at (obfuscated to prevent email harvesters) hp.com

Bob
0 Kudos
Reply
blaine.cartwrightuinet.
New Member

тАО07-02-2009 07:10 AM

тАО07-02-2009 07:10 AM

Re: LDAP-UX, eDirectory, PAM, Security policy Enforcement

M,
I am going to be attempting the same thing very soon and was wondering if you can send me a link to the "Administrator's Guide - Security policy Enforcement with Secure Shell ( SSH ) or r-command" document you referenced. Is this a Novell or an HP document. Also as I am just starting this process perhaps you would be kind enough to update me as to your current status and the steps you followed so far? I am finding most information is very confusing.


Thanks in advance
Blaine
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.