Wednesday 13 July 2011

Using OpenLDAP to authenticate HP-UX users

Introduction
This page describes how to configure the HP-UX LDAP client services to authenticate against OpenLDAP. For the OpenLDAP configuration see: LDAP server configuration RHEL 5.
The OpenLDAP directory server must be prepared and configured in advance before the HP-UX LDAP clients can be configured and the HP-UX system will authenticate against the directory. LDAP-UX can be configured to bind to the directory using a proxy. This is in principle more secure. The standard software is used, all authentication and password management is done by the directory. To make sure HP-UX reacts properly when a password has expired or a password reset has occurred (user must at next logon choose his/her own password) the pam_authz library is used.
To configure HP-UX the following must be done:

  • Installation of the LDAP packages
  • Import the certificate of the relevant CA - only if the secure LDAP protocol (SSL) is used
  • Run /opt/ldapux/config/setup
  • Provide DN of the system profile entry (as installed in the directory)
  • Check the ldapclientd daemon is running
  • Adjust the nsswitch.conf file
  • Configure pam to use the LDAP (in /etc/pam.conf
  • Copy provided pam.ldap example to pam.conf
  • Adjust pam.conf to enable pam_authz.policy for password policy effects
  • Configure /etc/opt/ldapux/pam_authz.policy file
  • Enable and configure the proxy settings
More information can be found in the HP_UX LDAP-UX client services administration guide. Be aware this document describes the process of getting LDAP-UX to work against Netscape Directory Services 6.x. Officially this is the only (non-Microsoft) directory service supported under HP-UX. OpenLDAP works very well though when configured properly.