Preparing your LDAP Directory for HP-UX Integration White Paper January 19, 2000 - Version 1.
Legal Notice Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Copyright © 1999, 2000 Hewlett-Packard Company.
Table of Contents Introduction ___________________________________________________________________ 1 Audience___________________________________________________________________________ 1 Background & Overview _____________________________________________________________ 1 Scope______________________________________________________________________________ 2 "LDAP-UX Integration" Products Overview _________________________________________ 3 High level Overview ________________________________________________
Multi-language Support _____________________________________________________________ 29 Account & Group Management __________________________________________________ 31 Group and Netgroup Size Limitations _________________________________________________ 31 NIS/LDAP Gateway & Large Groups __________________________________________________________ 32 LDAP-UX Client Services & Large Groups _____________________________________________________ 32 HP-UX and Large Groups ________________________________________
Introduction Audience This document is intended for Directory Administrators and architects responsible for the design, deployment and security of an enterprise directory. This document is also intended for HP-UX system administrators involved with the migration of Posix naming data, such as NIS1 databases or /etc/... files, into an LDAP directory. Customers evaluating the use of LDAP as a naming service for HP-UX will also benefit from this document.
Scope This document addresses issues a Directory Administrator and HP-UX System Administrator should be aware of before deploying LDAP as an HP-UX naming service. Issues discussed in this document include deployment, security, scalability, limitations, performance tuning, schema requirements and administration. Although this document contains useful information for anyone migrating Posix name service databases into an LDAP directory, this document focuses on the HP-UX "LDAP-UX Integration" product bundle.
"LDAP-UX Integration" Products Overview Before diving into the technical issues of this paper, it's a good idea to understand the function and features of the LDAP-UX Integration products. The LDAP-UX Integration products consist of two main products, the "LDAP-UX Client Services" and the "NIS/LDAP Gateway." Each product provides a different approach for connecting your HP-UX system to an LDAP directory, allowing you to use an LDAP directory environment for HP-UX system management.
Some of the main features and caveats of the NIS/LDAP Gateway are: Features • Supports NIS Clients: By supporting the NIS version 2 protocol, the NIS/LDAP Gateway can serve requests from any NIS version 2 client. This means the NIS/LDAP Gateway can support HP-UX 10.20 and higher clients, and others. If you have an existing NIS infrastructure, you can migrate to LDAP with less effort using the NIS/LDAP Gateway. • Supports all common NIS databases: The NIS/LDAP Gateway fully supports the RFC 2307 schema.
Gateways cache timer. With one exception, this latency is eliminated when a user changes his/her password, but only when using the ldappasswd tool. LDAP-UX Client Services The LDAP-UX Client Services product is installed directly on an HP-UX client. All user and group name service requests are routed through the "Name Service Switch" and then directly to the LDAP directory.
replaced by LDAP features, if you are willing to make some architectural changes. Directory consultants can often help in that type of decision. HP is working to provide support for additional databases in future releases. • No caching: The initial version of the LDAP-UX Client Services product does not perform caching of directory data on the client.
Security Considerations When migrating Posix data (NIS databases or /etc/... files) to an LDAP based directory, the Directory Administrator and HP-UX system administrator must be aware of certain issues that exist once HP-UX relies on LDAP as a back-end name service and/or authentication system. This section attempts to address some of the issues that can arise.
modify his own attributes, then that user can now modify any of the Posix fields. For example, without protecting the critical Posix attributes, the user could change his own uidnumber. To maintain the security of the HP-UX system, the Directory Administrator must assure that only valid Directory Administrators are allowed to modify most of the posixAccount attributes.
gidNumber and userPassword. This can be accomplished in several ways. Here are three examples... Example 1: If the posixGroup entries are stored in their own subtree, you can add an ACI to the entry at the top of the subtree that prevents modifications by everyone except for Directory Administrators. For example, assume that all posixGroup entries are stored in their own subtree called ou=groups,ou=nis,o=hp.com. An example ACI with a Netscape 4.x server would be added to the ou=groups,ou=nis,o=hp.
Table 1 Map Name Location in Directory Tree passwd group aliases fstab netgroup.byuser ngetgroup.byhost netgroup hosts networks protocols rpc services ou=People,ou=NIS,o=hp.com ou=Groups,ou=NIS,o=hp.com ou=mailGroups,ou=NIS,o=hp.com ou=Mounts,ou=NIS,o=hp.com nisMapName=netgroup.byuser,ou=NIS,o=hp.com nisMapName=ngetgroup.byhost,ou=NIS,o=hp.com ou=Netgroups,ou=NIS,o=hp.com ou=Devices,ou=NIS,o=hp.com ou=tcpIp,ou=NIS,o=hp.com ou=tcpIp,ou=NIS,o=hp.com ou=tcpIp,ou=NIS,o=hp.com ou=tcpIp,ou=NIS,o=hp.
Setting Up Access Controls for Proper HP-UX Operation As mentioned earlier in this section, HP-UX allows anyone on the system to read the files mentioned in Table 1 on page 10. Most HP-UX operations require global read access. For example, suppose that the /etc/group file was not readable by the average HP-UX user. Here is what happens when that user types the "ls -l" command.
The LDAP-UX Client Services product introduces a new authentication module known as PAM_LDAP (see the "pam" man page and Appendix A (Authentication Methods, a Primer) for additional details.) When PAM_LDAP is used for authentication on the HP-UX system, you may not need to configure a proxy user to read the userPassword attribute. Because PAM_LDAP does user authentication on the directory server, the userPassword need not be visible to applications on the HP-UX system.
password is stored in Unix crypt format by examining the user's directory entry. The userPassword should begin with the seven character string "{crypt}" which will precede the encrypted password. Example search: % ldapsearch -b "o=hp.com" -D "Administrator DN" -w "Administrator Password" \ uid=joe_e dn: uid=joe_e,ou=people,ou=NIS,o=hp.
• Digest-MD5 password authentication can be supported. (Digest-MD5 is a proposed password authentication protocol, which assures that passwords are passed through the network encrypted during authentication.) FYI: Although Digest-MD5 has been proposed to solve the network-clear-text-password problem for authentication, it is not used when changing the password. Using the SSL features of the ldappasswd tool, provided with the LDAP Integration products, solves this problem.
Blank Passwords and the NIS/LDAP Gateway A user that has a blank password can authenticate to the HP-UX system without providing a password. However, when a blank password is placed in the directory it must still be stored in Unix crypt format. For example, a user with a blank password would look like the following: % ldapsearch -b "o=hp.com" -D "Administrator DN" -w "Administrator Password" \ uid=joe_e dn: uid=joe_e,ou=people,ou=NIS,o=hp.
Preserving HP-UX password policies Password policies are the rules that govern valid password syntax, how frequently a user must change that password, when a user may login and other restrictions. Default HP-UX password polices do not allow an administrator to specify the time of day a user may login. However, an HP-UX system administrator may specify rules that define valid password syntax and how frequently the user must change his password.
may be lost, resulting in only the LDAP server password expiration rules. This problem cannot be avoided if not supported by the LDAP directory server. Hopefully the password policy enforced by the LDAP server is sufficient. Finally, many password policy rules enforced by the directory server are not enforced when using the NIS/LDAP Gateway.
provided in the /opt/ldapux/bin/ directory.
Performance Considerations One design goal of a directory is that it is optimized for excellent read and search performance. However, this means that a directory server must be tuned to achieve the best performance for the application for which it is intended. Using an LDAP directory as a repository for Posix data means you will need to tune your directory for this purpose. Increasing Search performance The methods used to tune a directory depend on the architecture of the database used by the directory.
/etc/passwd Key Attribute uid uidNumber Posix API getpwnam() getpwuid() Typical Indexed Indexed getgrnam() getgrgid() initgroups() - used by login initgroups() - used by login Indexed Indexed Indexed Indexed getservbyname() getservbyport() Indexed Indexed getprotobyname() getprotobynumber() Indexed Not Indexed getrpcbyname() getrpcbynumber() Indexed Not Indexed gethostbyname(), netdir_getbyname() gethostbyaddr(), netdir_getbyaddr() Indexed Indexed getnetbyname() getnetbyaddr() Indexed Not Inde
Large Databases One reason to choose an LDAP directory as the "back-end" naming and authentication service for an HP-UX system is its scalability. LDAP directories were designed to look up information in large databases quickly. The traditional flat /etc/passwd file was not. However an LDAP directory does not solve scalability problems without some investment.
• disug, enumerates the entire password list to find the user names. • quota, enumerates the entire password list when told to generate a report. Although eliminating enumeration is the best way to increase performance, sometimes it cannot be avoided. With the NIS/LDAP Gateway product the problem can be mitigated. A configuration option called "preload_maps" can be used to locally cache databases.
If you determine you need to adjust the size limit parameter, in a Netscape 4.x Directory Server, the Netscape Directory Console can be used. Look under the Configuration tab, select the directory server host name (at the top,) then select the Performance tab. Timeouts Another configuration limitation is the time spent serving a request. Although this limit may be harder to encounter, the results are the same as described above.
Bulk Search Reply When responding to a search request, some LDAP servers choose to compile the entire reply before transmitting the results to the client. This architecture can cause several problems when enumerating large data sets: • Latency caused by building up the response will slow down applications that enumerate. Depending on how long it takes for the server to generate the response may cause clients of the NIS/LDAP Gateway to time out.
hurt more than help. Because of this, a typical indexed database would make a few optimizations. For example, suppose you had a database where all entries were of the same objectclass type (say posixAccount.) In this case, it makes little sense to create pointers for posixAccount in the objectclass index, since those pointers would point to every single entry! The posixAccount pointers would require a lot of memory, but provide little value.
Schema RFC 2307 As alluded to earlier in this document, specific object classes and attributes are used to contain Posix naming information, such as entries in the /etc/passwd file. For example, an entry in the /etc/passwd file is represented in the directory as an entry of the posixAccount object class. The attributes and object classes used when migrating data to an LDAP directory are defined by the schema and syntaxes described in RFC 2307.
To keep a complex topic simple, in short, an LDAP directory server that is to store RFC 2307 entries should follow a some basic requirements: • • Comply with the LDAP v3 RFCs 2251 through 2256. Support multi-valued RDNs: "dn: cn=Tom+city=Cupertino,ou=hp.com". (multi-valued RDNs are only required when storing netgroups or non-standard NIS databases.) Posix and "Case Ignore String" In general, a Posix system is case sensitive. And when data is stored in an LDAP directory, the case of data is preserved.
directory, a collision will occur. Aside from the cn attribute being case-insensitive, so is the uid attribute used by the posixAccount object class. The issues with uid are the same as for cn and /etc/group. A couple options exist to resolve these conflicts: • The simplest option is to rename one of the groups or uids to eliminate all possible ambiguity.
Numeric UID & GID The uidnumber and gidnumber attribute are used to represent the user's Posix user id number and a group's group id number. These values must be integers. They must not contain any alpha characters. An invalid format could cause unknown results, and potentially be a security risk. The LDAP-UX Client Services product will not return user or group entries that contain an invalidly formatted uidNumber or gidNumber.
UTF-8 patches.) X-Window based applications do not support multi-language features unless they were compiled using the X11-R6 development environment. You may need to contact your application providers to determine if they support X11-R6 and the UTF-8 character set. Determining if data should be converted from a non-ascii/non-UTF-8 format to UTF-8 is a task for both the Directory Administrator and the HP-UX System Administrator.
Account & Group Management Group and Netgroup Size Limitations Posix systems have a limit on the number of users that may be members of a group. This limit is part of the architecture of the getgrxxx() procedure calls. Although the Posix specification makes no specific mention of this limit, implementations of the Posix standard had to select maximums. The number of members allowed in a group is determined by the size of the buffer allocated to return the group data.
NIS/LDAP Gateway & Large Groups Despite the fact that HP-UX 11.00 supports group data sets up to 4096 characters, the NIS architecture limits the group size to 1024 characters. LDAP-UX Client Services & Large Groups LDAP-UX Client Services takes advantage of whatever buffer size is supported by the operating system. In this case, LDAP-UX Client Services supports the 4096 buffer size on the 11.00 operating system.
Netgroups Netgroup membership is limited to 1024 bytes. However, the formula for determining the number of members in a netgroup is simpler: Number_of_Members = 1024 average_size_of_netgroup_member + 1 Nested Groups The groupOfNames and groupOfUniqueNames object classes as mentioned on page 34, allow anything to be a member of a group. This includes other groups (which creates nesting.) Current versions of the NIS/LDAP Gateway product and LDAP-UX Client Services product do not support nested groups.
netgroup.byhost maps, given a netgroup file as input. LDAP directories do provide similar features as netgroups. And if possible, discontinuing use of netgroups will eliminate the problems described above. However, migrating away from netgroups may be challenging. And as such, the Directory Administrator and HP-UX System Administrator should be prepared to create automated processes to manage the netgroup data in the directory.
Appendix A (Authentication Methods, a Primer) Following this section, this document makes several references to two pluggable authentication modules: PAM_UNIX and PAM_LDAP. This section briefly explains their function and uses. Authentication methods on an HP-UX system can be configured using the /etc/pam.conf file. PAM_UNIX PAM_UNIX is the standard authentication service available on HP-UX. As mentioned above, this routine uses the user uid name and his crypt password to authenticate the user.
Appendix B (RFC 2307 Schema) # Specify the DN of your schema subentry here dn: cn=schema changetype: modify add: attributetypes attributetypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.
SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) attributetypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTRINGS caseExactIA5SubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) attributetypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) attributetypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' ) add: objectclasses objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectclasses: ( 1.3.6.1.1.1.2.
SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST ( nisMapName ) MAY ( description ) ) objectclasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY ( description ) ) objectclasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY ( macAddress ) ) objectclasses: ( 1.3.6.1.1.1.2.
