Preparing your LDAP Directory for HP-UX Integration
15
Blank Passwords and the NIS/LDAP Gateway
A user that has a blank password can authenticate to the HP-UX system without providing a password.
However, when a blank password is placed in the directory it must still be stored in Unix crypt format. For
example, a user with a blank password would look like the following:
% ldapsearch -b "o=hp.com" -D "Administrator DN" -w "Administrator Password" \
uid=joe_e
dn: uid=joe_e,ou=people,ou=NIS,o=hp.com
objectclass: top
objectclass: account
objectclass: posixAccount
cn: Joe Engineer
uid: joe_e
userPassword: {crypt}
uidnumber: 85011
gidnumber: 2112
gecos: Joe Engineer, Rm 22, 292-5515
homedirectory: /home/joe_e
loginshell: /usr/bin/ksh
A user that does not have a password in the LDAP directory cannot authenticate to the HP-UX system.
Blank Passwords and LDAP-UX Client Services
Support of blank passwords with the LDAP-UX Client Services depends on which PAM module is
configured on the HP-UX system.
Blank Passwords and PAM_UNIX
When using PAM_UNIX the LDAP-UX Client Services product will work just like the NIS/LDAP
Gateway. In addition, the userPassword attribute can be in clear text in addition to Unix crypt
format. However this could represent a security risk, and should be protected from view from the
non-privileged users. In addition you will need to set up a proxy user that has read access rights to
the userPassword attribute as described in "Directory Read Access Requirements" on page 11.
Blank Passwords and PAM_LDAP
When using the PAM_LDAP component of the LDAP-UX Client Services product, the user must
have a valid password. Blank passwords are not allowed when using PAM_LDAP. This limitation
stems from the architecture of LDAP. When authenticating to an LDAP directory a blank password
or user name indicates the user wishes to bind to the LDAP server anonymously. Because
PAM_LDAP cannot determine if a login succeeded as the user himself or anonymous, PAM_LDAP
must restrict login to users with valid passwords.