Re: HP-UX Authentication thru Windows AD (1937 Views)
Reply
Frequent Advisor
walter crasto_1
Posts: 63
Registered: ‎01-01-2004
Message 1 of 7 (1,937 Views)
Accepted Solution

HP-UX Authentication thru Windows AD

Hi,

I have a HPUX Itanium system wanted to authenticate it thru Windows Active Directory server. Can someone advice me on this.
Thanks in advance.

Regards
Walter
Honored Contributor
Duncan Edmonstone
Posts: 5,684
Registered: ‎08-05-2000
Message 2 of 7 (1,937 Views)

Re: HP-UX Authentication thru Windows AD

you need to use LDAP/UX - manuals are available here:

http://docs.hp.com/en/internet.html#LDAP-UX%20Integration

HTH

Duncan

HTH

Duncan
Honored Contributor
Fabio Ettore
Posts: 1,738
Registered: ‎11-19-2003
Message 3 of 7 (1,937 Views)

Re: HP-UX Authentication thru Windows AD

Hi,

you need to install and configure LDAP-UX services on HP-UX system. From the manual already mentioned (which is the best point to start) check also for Windows requirements, for example it asks for SFU utilities on Windows system.

HTH.

Best regards,
Fabio
WISH? IMPROVEMENT!
Respected Contributor
eric roseme
Posts: 170
Registered: ‎01-27-2002
Message 4 of 7 (1,937 Views)

Re: HP-UX Authentication thru Windows AD

I have a whitepaper that lists cookbook style how to configure your system for "Unified Login" to AD. I have just updated it for Windows 2008R2 and the latest CIFS/Samba version on 11.31. All the setup steps for krb5, ldap-ux, and pam-kerberos are included.

http://www.docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Eric
Trusted Contributor
Don Mallory
Posts: 200
Registered: ‎11-26-2002
Message 5 of 7 (1,937 Views)

Re: HP-UX Authentication thru Windows AD

Hi there,

You don't need MS SFU if your AD is 2003 R2 or above, the schema changes are already present. You will need it if you don't, however, you would be better off delaying until you upgrade to AD 2003R2, than you would to deploy LDAP-UX, then upgrade.

Technically Kerberos is the authentication method.

PAM_authz provides authorization (are you in the right group, and allowed to log into this host? Otherwise >ALL< AD users can log in...)

The LDAP-UX piece provides users and groups from the AD.

That step-by-step guide that Eric posted is pretty good (it's also very new). I wish it was around when I originally implemented.

The Instalilng and Configuring guide is also quite good and covers a lot of the possible issues, specific to many different environments. For Kerberos, I really like this test resource:

This doc: DOC ID: PAMKKBAN00000983 - A Basic Step-by-Step Summary of Kerberos v5.1 Setup on HPUX platform.

A copy of which is at the link below:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1043163

I actually worked with the author on backline support issues once. Very bright fellow.


Interestingly enough, I was forced to temporarily disable the LDAP client daemon temporarily for a short time. As long as the users and group data is sychronised to the host in some way, the users can fully log in using Kerberos only. The trick is, if there's no naming service (LDAP-UX to provide user and group data, /etc/files, etc.) you can't log in.

Remember, LDAP is only a directory, it only provides identity, not authentications (Kerboeros), or authorization (pam_authz, sudo, etc.).

Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 6 of 7 (1,937 Views)

Re: HP-UX Authentication thru Windows AD

Shalom Walter,

Understand that in the Windows 2003 integration, only R2 will work for LDAP integration. Substantial patching is required on the windows side for this to work.

So work with the windows team and see that it is properly patched.

Part of the setup requires admin rights on the windows domain controller, so you'll need to work with the windows admins closely to get this done.

it is not easy. Budget some time to get this done.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Trusted Contributor
Don Mallory
Posts: 200
Registered: ‎11-26-2002
Message 7 of 7 (1,937 Views)

Re: HP-UX Authentication thru Windows AD

Stephen is completely accurate about the domain admin rights wrt installing and configuring LDAP-UX, it's required to implement the schema change that comes with the ldapuxprofile (the schema is called DUAConfigProfile), which is how the LDAP entries are mapped to UX style files (group, passwd, auto.direct, netgroup, etc.)

The one additional note is that basic domain admin privileges are not enough, you also need to have Schema Admin enabled on the domain admin account during the first install.

Your Windows administrators will be very skittish about enabling any changes to the schema.

This one is pretty benign, however updating it, which includes enabling SSL or SASL style encryption, or changing the LDAP server search order will require you to use ADSIEdit (windows, from the ResKit) or ldapmodify (comes with LDAP-UX) to implement the changes. At this point, you are directly editing the schema.

Don
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.