HPE Community
Operating System - HP-UX
1823058 Members
3149 Online
109645 Solutions
New Discussion юеВ

pam_ldap for user authentication only

 
SOLVED
Go to solution
Bhaskar Regmi
Occasional Advisor

тАО11-30-2004 02:27 AM

тАО11-30-2004 02:27 AM

pam_ldap for user authentication only

I am using pam_ldap for user authentication on Linux and Solaris boxes. I am still maintaining NIS for other services including user credentials(UID/GID pairs). Is there anyway to achieve the samething on HPUX using LDAP-UX Client services? My basedn is:

dn: ou=people,ou=intranet,dc=everestsol,dc=com

I do not want to migrate everything to LDAP directory.

Thanks

Bhaskar
0 Kudos
Reply
9 REPLIES 9
Bob Neal-Joslin
Trusted Contributor

тАО12-03-2004 06:39 AM

тАО12-03-2004 06:39 AM

Re: pam_ldap for user authentication only

Yes, you can, as long as you have an attribute in the LDAP directory that matches the account name in NIS. Typically this is the uid attribute.

For example, if you have an NIS entry...

joeuser:x:1234:20:Joe User,bld 6,555-1212:/home/joeuser:/usr/bin/sh

Then as long as you have an entry in the directory that also has "joeuser"...

dn: cn=Joe User,ou=people,ou-intranet,dc=everestsol,dc=com
objectclass: top
objectclass: persono
objectclass: organizationalPerson
objectclass: inetOrgPerson
sn: User
uid: Joe User
userPassword: test1234
cn: Joe User

You should be able to configure LDAP-UX to only use pam_ldap to perform authentication. To do this you would run the /opt/ldapux/config/setup/ Run configuration as normal. But when asked if you would like to do any special configuration, say yes. You'll need to specify a service search descriptor for the passwd service. Instead of (objectclass=posixAccount) you need to specify (uid=*) (assuming the uid attribute contains the account name.)

From there, you be sure you configure /etc/pam.conf to include libpam_ldap (as per the example in /etc/pam.ldap.) You don't need to configure /etc/nsswitch.conf with LDAP.


Hope that helps!
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

тАО12-06-2004 05:45 AM

тАО12-06-2004 05:45 AM

Solution

Re: pam_ldap for user authentication only

If you can't store the profile in the directory, it is possible to create one locally. Here's an example for this case.

Create /etc/opt/ldapux/ldapux_profile.ldif

example:

dn: cn=pam_only_profile,ou=intranet,dc=everestsol,dc=com
objectClass: top
objectClass: duaconfigprofile
cn: pam_only_profile
preferredserverlist: [ldaphostip]
servicesearchdescriptor: passwd:??(&(objectclass=person)(uid=*))
defaultsearchbase: ou=intranet,dc=everestsol,dc=com
authenticationMethod: simple

Execute /opt/ldapux/config/create_profile_cache

Restart ldapclient

/opt/ldapux/bin/ldapclientd -k
/opt/ldapux/bin/ldapclientd

Good luck, and post if you have questions.

Bob
Reply
Bhaskar Regmi
Occasional Advisor

тАО12-07-2004 02:07 AM

тАО12-07-2004 02:07 AM

Re: pam_ldap for user authentication only

Thanks Bob for your valuable reply, But I have no luck yet with LDAP-UX config.

My ldap.conf for Solaris and Linux box is:

host ldap.everestsol.com
base ou=people,ou=intranet,dc=everestsol,dc=com
port 389
pam_login_attribute uid
pam_password crypt

Regards
Bhaskar
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО12-07-2004 02:16 AM

тАО12-07-2004 02:16 AM

Re: pam_ldap for user authentication only

I have this working (somewhat) with a HP client to a SunOne directory server (which is Netscape DS6.1).

I followed pretty much verbatim the README file included with ldapux.

What is your Directory Server?

I have one issue on 11.23, which is that root can not authenticate now. (new thread starting for that one.)
Microsoft. When do you want a virus today?
0 Kudos
Reply
Bhaskar Regmi
Occasional Advisor

тАО12-07-2004 02:36 AM

тАО12-07-2004 02:36 AM

Re: pam_ldap for user authentication only

Client is hp-ux 11.00 and ldap server is iPlanet 5.0.
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО12-07-2004 02:41 AM

тАО12-07-2004 02:41 AM

Re: pam_ldap for user authentication only

Ok, I had no difficulties with my setup, which is exactly what you are doing.

Configure the ldapux if you have not done so. Because it is configured, does not mean it's being used.

The entries in /etc/nsswitch.conf for groups and passwd should look like this.

passwd files ldap
group files ldap

All other services should be

service files nis

Is ldapux configured? If so, you are in the home stretch.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

тАО12-07-2004 05:04 AM

тАО12-07-2004 05:04 AM

Re: pam_ldap for user authentication only

If you could attach a tar of the following configuration files to a reply, (or email me directly at bob_joslin@hp.com) then perhaps I could identify the problem.

/etc/pam.conf
/etc/nsswitch.conf
/etc/opt/ldapux/ldapclientd.conf
/etc/opt/ldapux/ldapux_client.conf
/etc/opt/ldapux/ldapux_profile.ldif

0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

тАО12-09-2004 09:09 AM

тАО12-09-2004 09:09 AM

Re: pam_ldap for user authentication only

After further study of Bhaskar's situation it became clear there is one more requirement that I should have stated above. In order to to use only pam_ldap, the uidNumber (or any attribute that represents the users account number) must be stored in the directory entry.

I'll request the LDAP-UX team enhance the product to look for the account number from alternate repositories in pam_ldap.

Bob
0 Kudos
Reply
Tanner_5
New Member

тАО12-16-2004 02:58 AM

тАО12-16-2004 02:58 AM

Re: pam_ldap for user authentication only

I have a similar problem as Bhaskar Regmi. I'm trying to install an LDAP user authentication on HP-UX. My LDAP-server is running on a Debian Linux and I want to connect from a HP-UX B.11.11. I've already configured clients on Linux Tru64-UX, where I didn't had do install something like a Netscape directory server. Where can I declare that my LDAP-Server is running on a different machine? I think my pam.conf is correctly configured.

Can anybody help me?

Kind Regards,
Markus
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.