Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
13
password is stored in Unix crypt format by examining the user's directory entry. The userPassword should
begin with the seven character string "{crypt}" which will precede the encrypted password. Example
search:
% ldapsearch -b "o=hp.com" -D "Administrator DN" -w "Administrator Password" \
uid=joe_e
dn: uid=joe_e,ou=people,ou=NIS,o=hp.com
objectclass: top
objectclass: account
objectclass: posixAccount
cn: Joe Engineer
uid: joe_e
userPassword: {crypt}pNQihs60rKnwE
uidnumber: 85011
gidnumber: 2112
gecos: Joe Engineer, Rm 22, 292-5515
homedirectory: /home/joe_e
loginshell: /usr/bin/ksh
FYI: The "{crypt}" prefix syntax was defined by RFC 2307. This syntax has been brought up by
the IETF (Internet Engineering Task Force) for consideration as a standard syntax, but no
resolution is available at this document's publication time.
Aside from assuring user passwords are stored in crypt format, the Directory also should not be allowed to
change that format when the user changes his password. For example, although the migration process will
store passwords with the {crypt} prefix, on a Netscape 4.x server, as soon as the user changes his password,
the password format will switch from {crypt} to {SHA} (secure hash algorithm.) This can be prevented by
changing the Directory server defaults to crypt format. With the Netscape 4.x server, this can be achieved
using the Netscape Directory Server Console. Under the Configuration tab, select the Database object.
From there, the default password format can be changed under the Passwords tab.
LDAP-UX Client Services and Crypt Passwords
As mentioned earlier, the LDAP-UX Client Services product introduces the PAM_LDAP module. The
HP-UX system administrator may choose to use PAM_LDAP as the authentication back-end for an HP-UX
system. In that case, the directory server now does the authentication of users for HP-UX. Because the
directory server does the authentication, using PAM_LDAP provides some advantages:
You can choose to hide passwords from view of a regular user (the encrypted password is typically
visible to any user that wishes to display the /etc/passwd file.)
You can use a global password policy. Instead of needing to adjust the password policy management
rules on each HP-UX system, you can have the LDAP directory server enforce a global policy.
The passwords can now be stored in any format that the directory server supports. Supporting any
password format means:
HP-UX and other LDAP enabled applications can share the same password.
The Directory Administrator can choose more secure password storage methods (SHA is
considered harder to crack than Unix crypt.)