Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
35
Appendix A (Authentication Methods, a Primer)
Following this section, this document makes several references to two pluggable authentication modules:
PAM_UNIX and PAM_LDAP. This section briefly explains their function and uses. Authentication
methods on an HP-UX system can be configured using the /etc/pam.conf file.
PAM_UNIX
PAM_UNIX is the standard authentication service available on HP-UX. As mentioned above, this routine
uses the user uid name and his crypt password to authenticate the user. Here is a simplified example of
authentication using PAM_UNIX during a login:
The login process prompts the user for his user name.
Login calls the PAM_UNIX authentication routine, using the specified user name.
PAM_UNIX finds the user's passwd entry by calling getpwnam(). If the entry is not found, the
authentication fails.
If the user's password is blank then the user is authenticated, otherwise…
PAM_UNIX prompts for the user's password.
PAM_UNIX crypts the entered password and compares it with the encrypted password in the entry.
If the encrypted passwords match, the authentication succeeds.
PAM_UNIX also supports additional features such as password expiration. And with the HP-UX "Trusted
Mode" product, PAM_UNIX is enhanced to support additional security features including stronger password
policies and password hiding.
PAM_LDAP
PAM_LDAP is a new authentication service introduced with the LDAP-UX Client Services product. This
authentication module uses the LDAP directory (instead of the standard authentication routines) to
authenticate users. Here is a simplified example of authentication using PAM_LDAP during a login:
The login process prompts the user for his user name.
PAM_LDAP generates an LDAP search request to find the user's entry in the directory. If the
entry is not found the authentication fails.
PAM_LDAP prompts the user for his password.
PAM_LDAP binds to the LDAP directory, using the distinguished name found in step 2 and the
password found in step 3.
PAM_LDAP returns success or failure, depending on the success of the LDAP bind request.
PAM_LDAP leaves password policy management (expiration, strength, etc.) up to the directory server.
Because PAM_LDAP does not need to examine the encrypted password, passwords may be hidden from
view, similar to the features of HP-UX "Trusted mode."