HPE Community
Operating System - HP-UX
1835185 Members
2457 Online
110077 Solutions
New Discussion

Re: LDAP-UX not supported long user name

 
Nikolay Aralovets
Occasional Advisor

‎01-18-2007 02:32 AM

‎01-18-2007 02:32 AM

LDAP-UX not supported long user name

Hi all,

I have start on HP-UX 11.23 authenticate within Kerberos and authorize within LDAP-UX for users from ADS (Win 2003 R2)

All is worked fine, but I can used username length no more than 8 symbols only.

In document "LDAP-UX Integration B.04.10 Release Note" additional restrictions are specified for AD - "maximum length of the user name can be only eight characters".

Whether it is possible to bypass this restriction ?
0 Kudos
Reply
11 REPLIES 11
Peter Godron
Honored Contributor

‎01-18-2007 02:39 AM

‎01-18-2007 02:39 AM

Re: LDAP-UX not supported long user name

Hi,
the restriction is there for good reason:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=110703

Try to bypass at your risk.

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.

So far you have not awarded any points !

0 Kudos
Reply
Nikolay Aralovets
Occasional Advisor

‎01-18-2007 02:51 AM

‎01-18-2007 02:51 AM

Re: LDAP-UX not supported long user name

Sorry, far I have not awarded any points.

I read information by link, but I not undestand Than I am threatened with use of long username? What services will particularly not work (ftp, ssh, e.t.c)? For Oracle I use the standard user - oracle.

I meaningly go on risk - why I cannot bypass this restriction?
0 Kudos
Reply
Craig Johnson_1
Regular Advisor

‎01-18-2007 03:20 AM

‎01-18-2007 03:20 AM

Re: LDAP-UX not supported long user name

The restriction is there because while LDAP and AD are perfectly happy to distribute long names, the underlying Unix code that had to interpret the data only uses 8-character user names. Thus, it is possible that HP-UX could improperly map a user:

abcd1234[xxxxxx]

Where xxxxxx could be anything. Unix would think it was abcd1234.
0 Kudos
Reply
dirk dierickx
Honored Contributor

‎01-18-2007 06:07 PM

‎01-18-2007 06:07 PM

Re: LDAP-UX not supported long user name

hpux is stuck back in the time where it was normal to have these kind of silly limits, while others have advanced, it remains a mistery why hpux has not.
0 Kudos
Reply
Nikolay Aralovets
Occasional Advisor

‎01-18-2007 08:11 PM

‎01-18-2007 08:11 PM

Re: LDAP-UX not supported long user name

Thank all for your answers.
As I have understood from studying include files - this restriction is system. However I have created the user usertest.hpux manually (with the help vipw) and I can work without problems.
The request to developers LDAP-UX - take off restrictions on length of a login name please
0 Kudos
Reply
OldSchool
Honored Contributor

‎01-22-2007 07:12 AM

‎01-22-2007 07:12 AM

Re: LDAP-UX not supported long user name

try loging in as user "usertest" using the password for "usertest.hpux". HP is only looking at the first 8 characters.

it *shouldn't* know the difference between the two id's above. This can lead to login "collisions" if you continue down that path.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-22-2007 08:43 AM

‎01-22-2007 08:43 AM

Re: LDAP-UX not supported long user name

> The request to developers LDAP-UX - take off restrictions on length of a login name please

Just to clarify: this is not an LDAP limitation. It is the underlying Unix code and is not limited to just HP-UX. It should also be noted that while LDAP can handle a wide variety of user names with very few restrictions on special characters, it is quite possible to create a username that is not compatible for just about any operating system. It is folly to assume that each manufacturer of an OS will change such basic code as user login names to be compatible with competitor's product. This is the area where RFC's become important but they proceed at a snail's pace compared to technology changes.

LDAP is facing the same type of compatibility issues that network filesystems have -- each OS has it's own methods to represent data and when you try to share that data, you must be aware of the differences.


Bill Hassell, sysadmin
0 Kudos
Reply
Nikolay Aralovets
Occasional Advisor

‎01-25-2007 10:24 PM

‎01-25-2007 10:24 PM

Re: LDAP-UX not supported long user name

Hi all once again,

I could find information about patch for libpam in hp-ux 11.00 and recommendations to create file /etc/default/I_ACCEPT_RESPONSIBILITY_FOR_BYPASSING_SECURITY_CHECKS. Creation of such file in HP-UX 11.23 allows to bypass restriction on length of a login name, but there is a question - whether removes presence of this file any else restrictions?
0 Kudos
Reply
Peter Godron
Honored Contributor

‎01-25-2007 10:52 PM

‎01-25-2007 10:52 PM

Re: LDAP-UX not supported long user name

Nikolay,
if you are thinking about PHCO_21833 or equivalent:

From the patch description:
" Note the following restrictions:
1) HP has never claimed that HP-UX supports user names longer than 8 characters, and does not recommend that customers bypass the existing length checks. Doing so may cause functional and/or security problems.
2) This patch does not remove the existing user name length checks from other commands - e.g. pwck(1m),sam(1m), useradd(1m).
3) Do not enable long usernames on trusted system configurations.
"

So HP is advising you to think carefully about what you want to do and warns you that you may run into serious problems later.

Simplest case, can you change the password on a "long account" without manual changes (vipw) ?

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.



0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-25-2007 11:09 PM

‎01-25-2007 11:09 PM

Re: LDAP-UX not supported long user name

Shalom,

Thare are cludges and scripts that ship with Samba that will permit intergration of the HP-UX box with Samba.

http://docs.hp.com/en/B8725-90103/ch09s04.html

How to have the system join the domain.
http://docs.hp.com/en/B8725-90093/ch05s01.html

Its not perfect but possible to get some level of Integration.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Nikolay Aralovets
Occasional Advisor

‎01-25-2007 11:11 PM

‎01-25-2007 11:11 PM

Re: LDAP-UX not supported long user name

To Peter Godron,
I wrote in the beginning - on HP-UX adjustments on integration with AD (authentification and authorization) are executed. The base of users will be stored in AD. In /etc/passwd will be stored root account only. Therefore me does not excite as utilities sam, pwck, useradd will work.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.