HPE Community
Operating System - HP-UX
1823083 Members
3572 Online
109646 Solutions
New Discussion юеВ

Preventing LDAP access to UID range..

 
PatRoy
Regular Advisor

тАО03-17-2008 12:26 PM

тАО03-17-2008 12:26 PM

Preventing LDAP access to UID range..

Hi.

We have an HPUX 11.23 box running the LDAP-UX Client in order to authenticate user with our Novell eDirectory server.

I need to know what's the proper way of disabling certain users, more like a range of uids from being able to logon using LDAP.

I've already set the disable_uid_range=0-199 field in my ldapux_client.conf. Here what I found out however : that field doesn't look for uids from the local passwd file. It checks for that uid in the ldap server. What's even more scary : I managed to get a 'root' account created in our ldap server with some bogus password and guess what! I was able to login to my unix box with ldap using that bogus root account HAS root.

Now that's should be. Any advice ?

Thanks,
patrick
0 Kudos
Reply
4 REPLIES 4
Tim Nelson
Honored Contributor

тАО03-17-2008 12:28 PM

тАО03-17-2008 12:28 PM

Re: Preventing LDAP access to UID range..

Strike 1 against trusting centralized authentication. ( or is is strike 23 )



0 Kudos
Reply
PatRoy
Regular Advisor

тАО03-17-2008 12:32 PM

тАО03-17-2008 12:32 PM

Re: Preventing LDAP access to UID range..

Should I award you points now? :P

I should add that having a uid for that root account in LDAP LOWER than 200 will prevent it from working.. but having it over 200 does work. But you probably figured that out.
0 Kudos
Reply
Tim Nelson
Honored Contributor

тАО03-17-2008 12:35 PM

тАО03-17-2008 12:35 PM

Re: Preventing LDAP access to UID range..

Nope..

N/A for the comment with no solution :)
0 Kudos
Reply
Bob Neal-Joslin
Trusted Contributor

тАО03-19-2008 11:57 AM

тАО03-19-2008 11:57 AM

Re: Preventing LDAP access to UID range..

Hi Patrick

The disable_uid_range is designed to only restrict visibility of LDAP accounts in the specified number ranges. It does not impact other name services, like /etc/passwd.

However, I was more concerned about your statement that you were able to create a root account in LDAP and not disable access using the uid_number_range. However, we could not reproduce your scenario in the lab. Would you be willing to provide addtional detail on your configuration. It would be best if you could contact support and they could relay all details (your choice). I'd be interested in seeing the contents of /etc/nsswitch.conf, /etc/pam.conf and the contents of /etc/opt/ldapux directory.

Note that pam_authz can be used to disable access to classes of users (though it doesn't use uid number range checking.) But it has many more policy rules, such as filtering users based on LDAP attributes or group membership.

Thanks,

Bob
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.