Integrating HP-UX Account Management and Authentication with LDAP
an LDAP directory (Figure 3):
The login program calls the C library function pam_authenticate().1.
pam_authenticate() calls the authentication function for the PAM_UNIX module.2.
PAM_UNIX attempts to find and authenticate the user based on the entry returned by getpwnam(). Note that LDAP-UX has the capability
to disable PAM_UNIX authentication for user entries found in the LDAP directory.
3.
If PAM_UNIX authentication was unsuccessful, pam_authenticate() calls the authentication function for the PAM_LDAP module.4.
PAM_LDAP searches the directory for an entry with a user name that matches the name of the user attempting to log in.5.
PAM_LDAP attempts to bind to the directory as the user with the matching entry.6.
The directory receives the bind request, and applies its own password check and policy management routines to determine whether to
accept or reject the bind request.
7.
If the directory accepts the bind request, PAM_LDAP stores the user's login credentials. These credentials will be used later when the user
makes any system or library call that requires retrieving data from LDAP.
8.
PAM_LDAP returns the result of the authentication. If the user has been authenticated, login calls getpwnam() to retrieve account
information.
9.
Figure 3. Pluggable Authentication Modules and LDAP. This system has been configured to authenticate root and user joe through PAM_UNIX, while other
users will authenticate via PAM_LDAP. If /etc/nsswtch.conf has been configured as shown in Figure 2, then root and joe can be managed locally by the
system administrator.
In combination with NSS_LDAP, PAM_LDAP provides closer integration with an LDAP directory. The primary benefit is that of common
authentication. HP-UX is using the same authentication mechanisms that other directory enabled applications use. PAM_LDAP is neutral to the
password storage format. All authentication is subject to the directory's security policy management which provides two benefits:
Policy is enforced across systems. This is important when the authentication information such as password is shared across multiple
systems. For example, a directory administrator configures a lockout policy that disables accounts after five failed attempts. A cracker
program fails to log in after five attempts on one HP-UX system. Switching to a second system will not yield any further attempts.
●
Policy is enforced across applications. HP-UX login, directory-enabled applications running on a variety of platforms, and web-based
applications share the same policy management and administration tools. So not only is policy enforced across HP-UX systems, the same
policy is enforced across a variety of applications.
●
LDAP Access Profile
When applications are carefully designed, using standard access methods, allowing the customer to choose tree structure and naming
conventions, the full power of the directory is harnessed. A single directory can be deployed to support multiple applications and operating
systems. For example, an organization may design its tree such that a single user entry contains a combination of the information required for
cooperating operating systems and applications. Common attributes (e.g., password, common name) is shared instead of duplicated.
Deploying NSS_LDAP and PAM_LDAP into an LDAP directory requires the ability to configure where, how, and what to search for in the
directory. Since this configuration will typically be the same for a number of HP-UX systems, LDAP-UX stores this sharable configuration in the
LDAP/HP-UX Integration
http://raptor.cup.hp.com/ldap/doc/WhitePapers/intpaper/uxint.html (4 of 6) [5/4/2000 1:33:48 PM]