Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
14
Digest-MD5 password authentication can be supported. (Digest-MD5 is a proposed password
authentication protocol, which assures that passwords are passed through the network encrypted
during authentication.)
FYI: Although Digest-MD5 has been proposed to solve the network-clear-text-password
problem for authentication, it is not used when changing the password. Using the SSL
features of the
ldappasswd
tool, provided with the LDAP Integration products, solves
this problem. In addition, your directory vendor may have other secure solutions for
changing passwords. HP is investigating lighter weight password-changing solutions
(not requiring a public key infrastructure.)
FYI: Since Digest-MD5 authentication into LDAP is not yet fully standardized and not
widely implemented it is not yet supported by LDAP-UX Client Services.
Choosing Your Directory's Password Format
Selecting your directory's default password format requires answering several questions:
Will you be using the NIS/LDAP Gateway product in your environment? If so, you must store
passwords in Unix crypt format.
Do you have applications that perform authentication, but do not use PAM? If so, you must store
passwords in Unix crypt format. login, ftp, remsh, rexec (supported by a patch on 11.00), rlogin &
telnet on HP-UX 11.00 support PAM. Some examples of other applications you may have in your
environment which do authentication include POP mail servers or web servers.
Does your directory server support encrypted password transmission during authentication (similar to
Digest-MD5?) If not, you may wish to store your passwords in Unix crypt format and use PAM_UNIX
or the NIS/LDAP Gateway instead of PAM_LDAP. Authentication standards for LDAP directories
have not been fully defined by the IETF (Internet Engineering Task Force.) Therefore most directory
server products do not support secure password transmission during authentication. Storing passwords
in Unix crypt format and using PAM_UNIX (used by the NIS/LDAP Gateway) assures that the user's
clear text password is not transmitted through the network during HP-UX authentication.
Do you have other directory based applications that require passwords be stored in a particular (non
Unix crypt) format? If so, passwords may still be shared between HP-UX and other LDAP applications,
as long as PAM_LDAP is used on HP-UX.
Blank Passwords
On HP-UX a password could be in one of the following basic states: invalid (such as a "*" used to disable an
HP-UX account,) valid, or blank. Once an HP-UX user is migrated to an LDAP directory entry, one more
state can exist: the non-existent state, meaning that a password attribute does not exist for that user. A non-
existent password is not the same as a blank password in an LDAP directory. Some directory servers allow
users with blank passwords to authenticate to the LDAP directory without providing a password. However,
a user that does not have a userPassword attribute cannot authenticate to an LDAP directory.