Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
21222324252627282930
22
disug, enumerates the entire password list to find the user names.
quota, enumerates the entire password list when told to generate a report.
Although eliminating enumeration is the best way to increase performance, sometimes it cannot be avoided.
With the NIS/LDAP Gateway product the problem can be mitigated. A configuration option called
"preload_maps" can be used to locally cache databases. Although it may be possible to remove the finger
command from your environment, removing login is not an option. So, if you have HP-UX 11.00 NIS
clients and are using the NIS/LDAP Gateway to serve those clients, you will probably need to pre-load the
group.byname map.
Timeouts and Maximum Number of Replies
To prevent users from consuming all the resources of an LDAP directory, most directory products allow the
Directory Administrator to configure limitations on responses to directory search requests. As an example,
if a user requests all the data in the database, the directory server may be configured to return at most 1,000
entries. These limitations are primarily made available to help prevent "denial of service" attacks,
preventing a malicious user from consuming all the LDAP server resources, making them unavailable to
other users. However, these limitations may adversely affect normal application operation. Again
applications that enumerate are the source of most of the difficulties. Eliminating or rewriting applications
that enumerate will likely remove the timeout and maximum number of replies limitations. However, if this
cannot be done, and you have a large database, you will need to adjust your directory configuration
parameters as follows:
Maximum Number of Replies
If an LDAP directory is configured to return at most 1,000 entries for a search request, but a database has
10,000 Posix accounts, then an application that needs to display all 10,000 will think it has completed it's
task after only 1,000 entries. The side effects of this obviously depend on the goal of the application. The
HP-UX System Administrator and Directory Administrator need to identify the applications that may be
affected by a reply size limit, and adjust that limit accordingly. Any application that calls the naming
enumeration APIs should be examined. An application that enumerates can be identified when it calls any
of the getxxent() procedures. Here is a sample script you can use on HP-UX to find applications that
enumerate...
#!/usr/bin/ksh
cd to_a_directory_where_you_have_applications_you_are_concerned_about
for name in $(find . -type f | xargs file | grep executable | cut -d":" -f 1)
do
if ( $(nm $name | cut -d" " -f 1 | grep "^get.*ent" > /dev/null) )
then
echo "$name calls the following naming enumeration APIs"
echo " \c"
echo $(nm $name | cut -d" " -f 1 | grep "^get.*ent" | sort -u)
fi
done
Unfortunately, the above script does not work if the text symbols have been removed (see the strip(1) man
page) from the executables.