Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
21222324252627282930
17
may be lost, resulting in only the LDAP server password expiration rules. This problem cannot be avoided
if not supported by the LDAP directory server. Hopefully the password policy enforced by the LDAP server
is sufficient.
Finally, many password policy rules enforced by the directory server are not enforced when using the
NIS/LDAP Gateway. Because the NIS/LDAP Gateway does password comparison (and does not ask the
LDAP server to perform the authentication,) rules on the directory server such as password expiration or
login time-of-day restrictions are not enforced. Only when then user attempts to bind to the LDAP server
would the user be subject to the directory's password policy rules.
LDAP-UX Client Services & Password Policy
Password policy enforcement issues depend on which PAM subsystem is used for authentication:
PAM_UNIX & Password Policy
When using PAM_UNIX with the LDAP-UX Client Services product, policy enforcement issues
are the same as with the NIS/LDAP Gateway, described above.
PAM_LDAP & Password Policy
When using the LDAP-UX Client Services product and the PAM_LDAP subsystem, the LDAP
directory becomes the sole arbitrator of password policy. As a directory manager, you should
ensure that the password policies enforced by the directory are adequate, using the HP-UX policies
as a guide.
By default, a Netscape 4.x directory server does not enforce password history. This means that when a user
changes his password, he may change it back to the same password. An HP-UX system will not allow a
user to change his password to the very same password. At a minimum you may wish to enable the
password history feature of the directory to prevent this. In the Netscape Directory Server console, you can
configure the password policy under the Configuration tab. Select the Database object and then the
Passwords sub-tab.
Password Policy and the Proxy User
When the NIS/LDAP Gateway product (or LDAP-UX Client Services product) uses a proxy user to access
Posix data in an LDAP directory, enforcing a global password policy may have an unexpected side effect.
Some directory products (such as Netscape Directory Server 4.x,) enforce password policies on a global
scale. This means that if you elect to create a rule requiring users to change their password every 90 days,
then the proxy user will also need its password changed every 90 days. Aside from the responsibility to
change the proxy user password every 90 days, the configuration of the NIS/LDAP Gateway must be
updated with the new password as well. Forgetting to do so can cause significant side effects. When the
proxy user is unable to bind to the directory because its password has expired, users on NIS clients will no
longer be able to login to their systems! And unless the administrator is keenly aware, the source of the
problem may not be clear. This problem cannot be avoided if the proxy user password is set (directly or
globally) to expire. To discover if the password for the proxy user has expired, attempt to bind to the
directory server using the proxy user DN and password. This can be performed with the ldapsearch tool