LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
1.2 How LDAP-UX Client Services works
LDAP-UX Client Services works by providing backend services for the authentication mechanism
provided in PAM, providing a backend database for the naming services provided by NSS.
The PAM configuration file /etc/pam.conf defines the security mechanisms that are used for
authenticating users. Its default values provide the customary operation of the system under both
standard HP-UX and trusted systems. It also provides support for controls on individual users. The
NSS configuration file /etc/nsswitch.conf defines LDAP support for the specified services.
These extensible mechanisms enable the installation and use of new authentication methods and
name services without changing the underlying HP-UX commands. In the HP directory server
environment, support of the PAM architecture enables the HP-UX client to be fully integrated into
the LDAP environment. The PAM_LDAP library allows the HP-UX system to use the LDAP directory
as a trusted server for authentication and centralized password and account policy management.
This enables passwords to be stored in any syntax and to remain hidden from view (preventing a
decryption attack on the passwords). Because passwords can be stored in any syntax, HP-UX can
share passwords with other LDAP-enabled applications, and passwords on LDAP accounts are not
subject to an 8-character limitation.
As shown in Figure 4, the client daemon ldapclientd is the nucleus of the product. It enables
LDAP-UX clients to work with LDAP directory servers, and it supports all NSS backend services for
LDAP and data enumeration. It also supports PAM_LDAP for authentication and password change.
Figure 4 The LDAP client daemon in the LDAP-UX Client Services environment
ls, who, ...login, ftp, ...
LDAP Client Requests
LDAP Directory Server
LDAP C SDK
ldapclientd
LDAP-UX Client
NSSPAM
In the Windows ADS environment, the PAM architecture supports Kerberos authentication, which
enables integration of HP-UX account management in Windows Server 2003 R2 and 2008.
Kerberos, an industry standard for network security, is seamlessly integrated in the Windows Server
2003 R2 and 2008 through the automatic configuration of Active Directory domain controllers to
provide Kerberos with authentication services. This enables Windows Server 2003 R2 and 2008
to authenticate Kerberos clients regardless of the platform on which they reside. Figure 5 illustrates
the integration between HP-UX and Windows 2003 R2 or 2008 (Windows Services for UNIX)
version 2.0.
1.2 How LDAP-UX Client Services works 19