Integrating HP-UX Account Management and Authentication with LDAP
If found, the front end returns a UNIX password record to getpwuid() which in turn passes the result back to the who command.4.
The who command now displays the user name from the password record.5.
NSS_LDAP is a new back-end that searches an LDAP directory for name service information. The first release will support user, group and
shadow password entries. It has the ability to connect to the directory as an anonymous user, a configured proxy user, or as the user id of the
calling process when used in conjunction with PAM_LDAP.
The advantage of using NSS_LDAP over YPLDAP is derived mainly from accessing the LDAP directory directly. There is no longer a need to
configure a separate gateway server to translate requests. NIS domains are no longer required. A rich set of configuration options allow each
HP-UX system to specify up to three search filters into the directory. Search filters specify where in the directory tree to start the search, how
deep to search, and what rules to apply to determine a match. Attribute mappings may also be configured to allow NSS_LDAP to integrate with
directories that do not store name service data in the format specified by the RFC 2307 schema.
This flexibility in searching and schema support allows NSS LDAP to coexist with other products inside a single directory, sharing data such as
user names and passwords. It should be noted that YPLDAP may still be a better choice for environments that currently support 10.20, or prefer
backwards compatibility over closer directory integration.
Figure 2. LDAP and the Name Service Switch Architecture. In this example, a user entry will first be searched for in /etc/passwd, then in an LDAP directory,
and finally in NIS.
PAM_LDAP
Similar to the Name Service Switch, the Pluggable Authentication Module (PAM) architecture allows the UNIX administrator to configure multiple
authentication methods. Unlike NSS, PAM allows configuration on a per service basis. The default method is traditional UNIX authentication. In
this example the Name Service Switch module is also configured to use LDAP:
The login program calls the C library function pam_authenticate().1.
pam_authenticate() calls the authentication function for the PAM_UNIX module.2.
PAM_UNIX calls getpwnam() to retrieve the passwd record for the user logging in.3.
getpwnam() uses the NSS as previously discussed to retrieve the password record.4.
PAM_UNIX now challenges the user for a password, encrypts it (via UNIX crypt), and compares the password with the one retrieved in the
password record.
5.
PAM_UNIX applies any relevant policy management, such as lockout procedures. Policy management for PAM_UNIX is minimal, unless
the system is configured for commercial security.
6.
PAM_UNIX returns the result of the authentication. If the user has been authenticated, login calls getpwnam() to retrieve account
information, including the user's home directory group and login shell.
7.
Using PAM_UNIX with LDAP has the benefit of using LDAP access while preserving traditional UNIX behavior (e.g., all NIS maps are
supported). However, it does so at the expense of directory integration and security. The password must be stored in the directory in UNIX crypt
format, and the directory must allow read access to all passwords for an anonymous or configured proxy user.
PAM_LDAP allows HP-UX users to authenticate directly to an LDAP directory. The following example shows a password based authentication to
LDAP/HP-UX Integration
http://raptor.cup.hp.com/ldap/doc/WhitePapers/intpaper/uxint.html (3 of 6) [5/4/2000 1:33:48 PM]