Integrating HP-UX Account Management and Authentication with LDAP
HP-UX NIS/LDAP Gateway (YPLDAP)
The HP-UX NIS/LDAP Gateway product (YPLDAP) is a protocol gateway that translates requests and replies between NIS clients and LDAP
servers. UNIX information such as user accounts, groups, and services are stored in an LDAP Directory in the format defined by the RFC 2307
schema. UNIX clients configured to use NIS will be able to interact with YPLDAP without modification.
YPLDAP replaces the NIS slave server (Figure 1). NIS slaves are updated by receiving complete maps transferred from an NIS master.
YPLDAP requests only the required data from the LDAP server, eliminating the transferring of maps across the network. This saves processing
time on the servers and minimizes the network bandwidth required.
NIS master servers are not needed with YPLDAP. This functionality is now being provided by an LDAP directory. This allows a greater number
of entries to be stored than in a traditional NIS master. The credentials (e.g., user name and password) that YPLDAP uses to connect to the
LDAP directory can be configured. Communications between YPLDAP and the LDAP directory can be protected with a Secure Socket Layer
(SSL) connection using X.509 certificates for authentication and encryption.
By taking advantage of the scalability of LDAP, YPLDAP supports much larger domains than NIS. Administrators now can consolidate NIS
domains. YPLDAP employs caching to minimize latency when accessing the LDAP server. It supports the commonly used NIS maps, including
passwd, group, hosts, networks, aliases, netgroup, and services. YPLDAP will be available on HP-UX 10.20 and 11.0 platforms and will support
any NIS version 2 compatible client, including HP-UX 10.20.
Figure 1. Migrating NIS to LDAP Gateway (YPLDAP). The NIS slaves are replaced by YPLDAP daemons. The NIS masters are replaced by subtrees in a
single LDAP directory.
HP-UX LDAP Integration Client Services (LDAP-UX)
The HP-UX LDAP client integration product (LDAP-UX Client Services) is a set of modifications allowing HP-UX to more directly interact with
LDAP. Designed with the goal of being directory vendor neutral, and flexible regarding tree structure, schema and naming conventions,
LDAP-UX often can be introduced into an existing LDAP directory tree. LDAP-UX Client Services allows HP-UX to retrieve account, group, and
system LDAP configuration from, and authenticate (i.e. login) to an LDAP directory. LDAP-UX Client Services consists of the following
functionality:
NSS_LDAP
●
PAM_LDAP●
LDAP Access Profiles●
NSS_LDAP
As of 11.0, HP-UX supports the Name Service Switch (NSS) architecture, allowing commands and applications to retrieve name service
information (users, groups, services, etc.) without having knowledge of where or how it is stored. Commands and applications call standard C
library functions, which in turn use the Name Service Switch to determine which name service "back-end" routines to call. For example, if the
NSS configuration file /etc/nsswitch.conf was configured to first look in files and then in NIS for user entries, and a user entered the who
command the following would happen (Figure 2):
The who command calls the function getpwuid() in the C library, passing it the user id number for the current session.1.
The getpwuid() function calls into the Name Service Switch "front end " with the request. The front end calls into the back-end for files,
which would search the /etc/passwd file for the user.
2.
If the user id was not found, the front end calls the next configured back-end (in this example NIS.) The NIS back-end makes a set of
Remote Procedure Calls to an NIS Server to search for the user entry.
3.
LDAP/HP-UX Integration
http://raptor.cup.hp.com/ldap/doc/WhitePapers/intpaper/uxint.html (2 of 6) [5/4/2000 1:33:48 PM]