Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
12
The LDAP-UX Client Services product introduces a new authentication module known as PAM_LDAP (see
the "pam" man page and Appendix A (Authentication Methods, a Primer) for additional details.) When
PAM_LDAP is used for authentication on the HP-UX system, you may not need to configure a proxy user to
read the userPassword attribute. Because PAM_LDAP does user authentication on the directory server, the
userPassword need not be visible to applications on the HP-UX system. As long as HP-UX applications that
need to perform authentication do so using the PAM architecture, the user's password may remain hidden.
This is similar to the concept of the /etc/shadow password file. You may still need to create a proxy user if
you have applications that need to examine the user's crypt password when calling the getpwxxx() routines.
Also see "Choosing Your Directory's Password Format" on page 14 for a related topic.
Crypt Password Format
Once a passwd file/NIS-map is migrated into an LDAP directory, the user's account password is placed in
the userPassword attribute. When the password field is migrated it will be stored in {crypt} format in the
new directory entry. This is the same format used by Posix, to store a hashed password. This is referred to
as "Unix crypt" format.
Example crypt password:
joe_e:pNQihs60rKnwE:85011:2112:Joe Engineer, Rm 22,292-5515:/home/joe_e:/usr/bin/ksh
Equivalent directory entry:
dn: uid=joe_e,ou=people,ou=NIS,o=hp.com
objectclass: top
objectclass: account
objectclass: posixAccount
cn: Joe Engineer
uid: joe_e
userPassword: {crypt}pNQihs60rKnwE
uidnumber: 85011
gidnumber: 2112
gecos: Joe Engineer, Rm 22, 292-5515
homedirectory: /home/joe_e
loginshell: /usr/bin/ksh
NIS/LDAP Gateway and Crypt passwords
The first product to be released for HP-UX that provides LDAP integration is the NIS/LDAP Gateway.
Because the NIS/LDAP Gateway supports the NIS environment, the userPassword must be stored in the
directory in Unix crypt format. The NIS/LDAP Gateway is only acting as a name resolving service for the
HP-UX operating system (this is commonly referred to as a "naming service back-end.")
When the login process (or other application on HP-UX such as an ftp server) needs to authenticate a user, it
invokes the PAM subsystem. The PAM_UNIX module asks for the user's password from the naming
service (using getpwnam,) expecting the password to be in Unix crypt format (as described on page 35.) If
the password is in some other format, Posix authentication will fail. Thus, a Directory Administrator
deploying the NIS/LDAP Gateway product must be aware that user passwords must be stored in Unix crypt
format in the directory, if the authentication process is to function on HP-UX. You can verify a directory