login about faq

How to configured PAM to use LDAP on HP-UX 11i?

asked Dec 14 '10 at 21:18

SSH%20KB's gravatar image

SSH KB ♦
509250247238


This knowledge base article describes a scenario where the SSH Tectia client connects to an SSH Tectia Server (HP-UX 11i), which is configured for using an LDAP directory for user information. Clients connecting to the SSH Tectia Server can use either certificate authentication or keyboard-interactive authentication.

Client --- SSH Tectia Server --- LDAP Server

The relevant configuration files are found attached at the end of this knowledge base article. The files present an example configuration.

Please note that SSH provides technical support for configuring SSH Tectia products. Configuration and installation of operating system specific PAM modules and/or LDAP directories are not officially supported by SSH Communications Security.

Product and OS versions:

  • HP-UX 11i
  • LDAP-UX version B.03.20 (J4269AA)
  • Netscape Directory Server v4 for HP-UX, B.04.13 (J4258BA)

Server side configuration

  • Install and Configure LDAP-UX client services with your LDAP server information. The LDAP client configuration defines the LDAP server and where the user profile entry is found within the LDAP directory. LDAP client setup creates the configuration and profile files and inserts the profile into the directory.

/opt/ldapux/config/setup

  • LDAP-UX client configuration is saved into following file:

/etc/opt/ldapux/ldapux_client.conf

  • The LDAP-UX package comes with a migration script which creates an ldif file from the /etc/passwd file. The ldif file can be inserted into the directory with the ldap client tools. After inserting the user accounts into the directory, ldapsearch can be used for verifying that the accounts are found in LDAP.

/opt/ldapux/migrate/migrate_passwd.pl /etc/passwd ./passwd.ldif /opt/ldapux/bin/ldapmodify -a -h localhost -D cn=root -w secret -f passwd.ldif /opt/ldapux/bin/ldapsearch -b ou=People,o=ssh.com objectclass=*

  • The operating system is configured to use an LDAP backend for su and sshd2.

/etc/pam.conf

  • Name service file nsswitch.conf is configured to use "ldap" in addition to "files" for passwd information.

/etc/nsswitch.conf

  • Once nsswitch is configured, 'nsquery' should be able to find user ids in LDAP. This query should succeed before proceeding to SSH Tectia Server configuration.

$ nsquery passwd testuser

-- Using "files ldap" for the passwd policy.

Searching /etc/passwd for testuser testuser was NOTFOUND

Switch configuration: Allows fallback

Searching ldap for testuser User name: testuser User Id: 104 Group Id: 20 Gecos: Home Directory: /home/testuser Shell: /usr/local/bin/bash

Switch configuration: Terminates Search

  • SSH Tectia Server is configured to allow publickey and keyboard-interactive authentication. PAM is configured as a submethod of keyboard interactive. CA certificate and mapfile configuration is included in the server configuration to enable the use of certificates in user authentication.

/etc/ssh2/sshd2_config /etc/ssh2/certificates/ca-certificate.cer /etc/ssh2/certificates/mapfile

Client side configuration

  • SSH Tectia Client configuration allows publickey and keyboard-interactive authentication methods. The non-interactive method (publickey) is listed first within the Allowedauthentications keyword, and as a result, keyboard-interactive authentication can be used if publickey authentication is not configured, or if a smartcard or token is not present, for example.

/etc/ssh2/ssh2_config

link

answered Dec 14 '10 at 21:19

SSH%20KB's gravatar image

SSH KB ♦
509250247238

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×8
×6

Asked: Dec 14 '10 at 21:18

Seen: 9,965 times

Last updated: Dec 14 '10 at 21:19

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.