Operating System - HP-UX
1833065 Members
2553 Online
110049 Solutions
New Discussion

Nis plus and trusted systems

 
SOLVED
Go to solution
Dean Johnson_10
Advisor

Nis plus and trusted systems

Hi

I have a client that requires single sign on to multiple HPUX 11.0 servers. Currently we use NIS
They also require set password length, set password history and account lock out after 3 invalid password attempts.
Are there any security patches that will enable this (I seem to remember seeing something for 11i but not 11.0) ?
Would NIS plus and trusted systems be the best bet and if so what is the admin overhead ?
Or does anyone know of a third party product that provides single sign on and most of the functionality of trusted systems ?

Thanks

Dean
8 REPLIES 8
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: Nis plus and trusted systems

There is nothing under NIS that will enable the features you want; also NIS (unlike NIS+) is absolutely imcompatible with a Trusted system.

NIS+ and trusted is a viable solution. As long as you are not one of those guys that have routines to edit passwd field directly via scripts, the conversion to trusted should be quite painless. The conversion to NIS+ requires a bit steeper learning curve and unfortunately in some ways your knowledge
of NIS may hurt you more than it helps --- it's that different. Conceptually they are similar but that is where the similarity ends.

The downside to NIS+ is that it is probably not a truly long-term solution. If I were you, I would take a hard look at LDAP.

If it ain't broke, I can fix that.
Bill Hassell
Honored Contributor

Re: Nis plus and trusted systems

NIS and NIS+ are not long for this world...they are simply too unsecure and incompatible with the rest of the world and maintenance is indeed a big deal. An untrusted system cannot keep any password history or failed login attempts. Conerting 11.0 to Trusted and adding all the security patches will give you the controls you need. But LDAP is the only multi-system solution for the future although getting it to play among multiple platforms will be a challenge.


Bill Hassell, sysadmin
Dean Johnson_10
Advisor

Re: Nis plus and trusted systems

Thank you both for your valuable input. I will take a look at LDAP or try and get the client to move away from single sign on so that trusted systems can be implemented
Robert Binkhorst
Trusted Contributor

Re: Nis plus and trusted systems

Hi,

To follow up on your interest in LDAP, take a look at these links for starters:
LDAP-UX integration:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4269AA

Netscape directory server (LDAP server):
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J4258CA

OpenLDAP server:
http://www.openldap.org/doc/admin21/index.html
linux: the choice of a GNU generation
Dean Johnson_10
Advisor

Re: Nis plus and trusted systems

If I move towards LDAP, would I still need to convert to trusted system and also does LDAP work ok with ServiceGuard ?
Robert Binkhorst
Trusted Contributor

Re: Nis plus and trusted systems

Hi Dean,

You do not need to convert to a trusted system. That would probably make it more difficult. I have no experience with this though.

I've got systems running with LDAP and MC/SG, and have experienced no problems so far.

HTH,

Robert

linux: the choice of a GNU generation
Dean Johnson_10
Advisor

Re: Nis plus and trusted systems

Robert

Thanks for the quick response. Does LDAP (or the PAM plugin) provide "account lockout" after a configurable number of invalid login attempts ?

This is what I need to provide to the client along with single sign on capability - hence LDAP (for single sign on) and trusted systems (for the account lockout and other security features)

Regards

Dean
Robert Binkhorst
Trusted Contributor

Re: Nis plus and trusted systems

Dean,

Yes, LDAP provides those things. They depend heavily on your implementation though, for instance: I know that the OpenLDAP server supports them, but the HP-UX ldap client doesn't AFAIK. Netscape directory service (iPlanet nowadays) might, I don't know.

Let us know what your conclusions are?

Cheers,

Robert
linux: the choice of a GNU generation