HPE Community
Operating System - HP-UX
1830872 Members
2218 Online
110017 Solutions
New Discussion

Re: Shadow/LDAP password encryption/aging + not updating shadowlastchange

 
Chris Rutledge_2
Occasional Advisor

‎10-11-2004 09:10 AM

‎10-11-2004 09:10 AM

Shadow/LDAP password encryption/aging + not updating shadowlastchange

Hello All,

I have shadowPW, ldapux, related software bundles, and patches installed on our HP-UX 11.11 machine. I've been trying to get password encryption (currently being stored in the LDAP server in clear text) and password aging/shadowLastChange update working under OpenLDAP.

The password encryption isn't so much of an issue as I do have very strict ACL's in place on the LDAP server and once this is ready for production I will be turning on SASL. However, if it is possible I'd like to get it working.

The password aging/shadowLastChange is another matter. When logging in as an LDAP user if the shadowMAX is expired I'm not being prompted to change the password and changing the password the shadowLastChange attribute is not being updated. I've done tcpdumps both on the HP-UX machine and on a working linux client and the only thing different is the call to update the shadowLastChange field.

Testing a local user with the shadowMAX expired the results are the same, I never get prompted to change the password (I did modify the shadowLastChange field by hand to -shadowMAX -1). I also went in through SAM to see if maybe there was something I forgot to do (or special with HP-UX/Shadow) and turned on password aging there. It used the same password aging policy as prior to shadowPW....password aging parameters located in the password field.


Any help, or just a shove in the right direction would be greatly appreciated. If any more information or software/patch version are needed just let me know. I'd much rather get this working with OpenLDAP.


- Chris

Never jump into a foxhole with someone braver than you!
0 Kudos
Reply
1 REPLY 1
Bob Neal-Joslin
Trusted Contributor

‎10-28-2004 05:39 AM

‎10-28-2004 05:39 AM

Re: Shadow/LDAP password encryption/aging + not updating shadowlastchange

Hi Chris,

First, I'm assuming that you're using native LDAP-UX, and not the NIS/LDAP Gateway. Assuming so...

The /etc/shadow co-existance feature of LDAP-UX does not work as you might be assuming. /etc/shadow is only supported for applying security policy to local accounts. The shadow schema in LDAP is not used by LDAP-UX, for number of reasons, mostly related to security and managability.

The goal of the LDAP-UX product is to defer to a centrally managed security policy, which means it needs to be enforced by the LDAP server, not the HP-UX host. Configuring pam_ldap is your first step. But you also need to enable password/account policy enforcement on the LDAP server. I'm not aware of a specific plugin for OpenLDAP that supports the /etc/shadow schema, but I'm guessing one does exist. And I'm also farily certain that a plugin exists to support the IETF password policy model (http://www.ietf.org/internet-drafts/draft-behera-ldap-password-policy-08.txt) that is under development (but I don't have a pointer to any plugin specifically.)

Anyway, hope that helps.

Bob
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.