Integrating HP-UX Account Management and Authentication with LDAP
LDAP directory in an entry called a profile. Each individual HP-UX system now only needs to configure an LDAP server and the name of the
profile to be used.
The HP-UX LDAP profile includes the following:
Server name(s) and port(s). This is a set of server names and port ids where the actual search for data will be performed. If a server
does not respond to a bind request, HP-UX will attempt to bind to the next server listed.
●
Authentication level. This value specifies whether the directory should be accessed anonymously, or via a configured proxy user.●
Proxy user. The administrator can specify an identity to use when connecting to the directory in cases when the server should not connect
as a specific user. This can be anonymous access, or a locally configured directory user credential.
●
Search filters. Up to three search filters may be configured for each name service (e.g. users, groups). A search filter specifies a
directory tree location to start the search, search depth, and an LDAP filter to control which entries to retrieve. Search filters are a key
component of the flexibility in LDAP-UX, allowing HP-UX to be integrated into a wide variety of directory trees.
●
Attribute mappings. These mappings match UNIX data structures to one or more directory attributes defined by the directory schema.
While typically defaulted to follow RFC 2307, attribute mapping can be used as a customization tool. For example, the UNIX gecos field in
the passwd file is mapped by RFC 2307 to the gecos attribute in the directory. However the directory administrator can choose to build the
gecos field by selecting existing attributes such as cn (common name), officePhone, and location. Attribute mappings are also useful to
integrate with directories that do not fully support RFC 2307.
●
LDAP-UX downloads the profile to each HP-UX system for performance reasons. A set of tools and customizable scripts are provided to create,
modify and periodically download profiles.
Putting It all Together
By using a combination of of NSS_LDAP, PAM_LDAP and HP-UX LDAP Profiles, a high level of integration with existing LDAP directories and
directory enabled applications can be achieved. In the first example (Figure 4) HP-UX is integrated into an existing Netscape LDAP directory
that is primarily used for email. The directory schema already contains RFC 2307, and the directory supports dynamic addition of auxiliary
object classes. Existing email entries in the directory are extended to include UNIX account information. Attributes in common between email
and UNIX users, including user name and password are shared (i.e. each record would contain a single user name and password). A UNIX user
logs in and changes his/her password using an HP-UX command. Now the same user logs in with the new password to an email application on
a PC. Third party directory based administration tools can be used to manage the account information.
Figure 4. Integrating HP-UX with directory enabled applications. The email package and HP-UX login are sharing the same directory entry, authentication
module, and policy management. Various administration tools (including web based) may also be used to manage the entry.
In the second example (Figure 5), we have a more ambitious implementation. This directory is divided into several subtrees based on
geographic organization. Each subtree has a separate profile. The LDAP-UX search filters are configured to first look for users and groups in
the local organization and then to search the full directory.
This organization also has some systems that restrict access to a subset of users. These key user entries are extended to include a new object
class with an attribute (created by this organization) called accessType. These systems with restricted access will use a separate profile called
finance profile, where the search filter will specify that the user entry must also have the appropriate value for accessType. When a user
attempts to log in, PAM_LDAP will only find the user entries that have a match in the accessType attribute.
LDAP/HP-UX Integration
http://raptor.cup.hp.com/ldap/doc/WhitePapers/intpaper/uxint.html (5 of 6) [5/4/2000 1:33:48 PM]