From Free IPA

Back to Client Configuration Guide

Contents 1 Introduction 2 IPA Client Configuration 2.1 LDAP client configuration 2.2 PAM/krb5 Configuration 2.2.1 /etc/krb5.conf 2.2.2 /etc/pam.conf 2.2.2.1 HPUX - 11i v2 2.2.2.2 HPUX - 11i v1 2.3 Configuring Client SSH Access 2.4 Configuring Access Control 3 Testing the Configuration 3.1 kinit 3.2 ssh 3.3 console login

Introduction

This document describes the procedures required to configure HP-UX as an IPA client.

IPA Client Configuration

LDAP client configuration

1. Install the ldapux client on the HP-UX 11.23 machine.

  J4269AA_B.04.15.01_HP-UX_B.11.23_IA_PA.depot

# swinstall -s J4269AA_B.04.15.01_HP-UX_B.11.23_IA_PA.depot

2. Change to the configuration directory and run the setup script.

# cd /opt/ldapux/config/
# ./setup

(The HP-UX guide for this procedure is located at http://docs.hp.com/en/J4269-90075/ch02s07.html)

The following is a sample output from running the above script:

Would you like to continue with the setup? [Yes]
Select which Directory Server you want to connect to ? [RedHat Directory]
Directory server host ? [ipaserver.example.com]
Directory Server port number [389]
Would you like to extend the printer schema in this directory server? [No]
Would you like to install PublicKey schema in this directory server? [No]
Would you like to install the new automount schema ? [No]
Profile Entry DN: [cn=ldapuxprofile,cn=etc,dc=example,dc=com]
User DN [cn=Directory Manager]
Password ? [Directory Manager's Password]
Authentication method ? [ SIMPLE ]
Enter the number of the hosts you want to specify [1]
Default Base DN ? [dc=example,dc=com]
Accept remaining defaults ? [n]
Client binding [Anonymous]
Bind time limit [5 seconds]
Search time limit [no limit]
Do you want client searches of the directory to follow referrals? [Yes]
Profile TTL [0 = infinite]
Do you want to remap any of the standard RFC 2307 attribute? [Yes]
Specify the service you want to map? [ 3=Group]
Specify the attribute you want to map [3 for memberuid ]
Type the name of the attribute memberuid should be mapped to [member]
Specify the service you want to map? [ 0 = exit ]
Do you want to remap any of the standard RFC 2307 attribute? [ no this time ]
Do you want to create custom search descriptors? [ No ]

Note:

To install an HP-UX client you need administrator privileges in the form of the Directory Manager password. There is no other way to perform the installation.

3. Ensure that the LDAP client daemon is running.

4. Run the following commands to ensure that the LDAP client is working:

# nsquery passwd admin (user should be visible)
# nsquery group admins (group and user should be visible)

5. Create a new group on the IPA server.

# ipa-addgroup testgroup

6. Add a test user to the new group created above.

# ipa-modgroup -a testuser testgroup

7. Run the nsquery commands again to validate the new user and group:

# nsquery passwd testuser (user should be visible)
# nsquery group testgroup (group and user should be visible)

This concludes the LDAP client configuration.

PAM/krb5 Configuration

The PAM and Kerberos configuration is a completely manual process. Sample configuration files are provided below. You need to base your own system files on the information provided below.

/etc/krb5.conf

[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2

[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com:88
admin_server = ipaserver.example.com:749
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[appdefaults]
kinit = {
forwardable = true
}

/etc/pam.conf

HPUX - 11i v2

#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
#
#
################################################################
# This sample file will authenticate the user who belongs to #
# either Kerberos or Unix system. Using this configuration file#
# if the user is authenticated through Kerberos then the Unix #
# authentication will not be invoked. However,if the Kerberos #
# authentication fails for the user, then the fallback #
# authentication mechanism PAM-Unix will be invoked to #
# authenticate the user.The assumption is the user is either #
# present in Kerberos or in Unix system. #
# #
# In case, the administrator wants the password for all the #
# users to be synchronous between Kerberos and Unix systems, #
# then the control flag should to be set to "required" for all #
# the entries with use_first_pass option set for pam_unix. #
# If password synchronization is optional then try_first_pass #
# option need to be set for pam_unix, so that the user can #
# login using the appropriate passwords. #
# #
# The module pam_hpsec(5) is stacked as mandatory module above #
# all the modules for making security checks before #
# authentication. #
################################################################
#
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_krb5.so.1
su auth required libpam_unix.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_krb5.so.1
dtlogin auth required libpam_unix.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_krb5.so.1
dtaction auth required libpam_unix.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_krb5.so.1
ftp auth required libpam_unix.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_krb5.so.1
sshd auth required libpam_unix.so.1 try_first_pass
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_krb5.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account sufficient libpam_krb5.so.1
su account required libpam_unix.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_krb5.so.1
dtlogin account required libpam_unix.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_krb5.so.1
dtaction account required libpam_unix.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_krb5.so.1
ftp account required libpam_unix.so.1
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_krb5.so.1
sshd account required libpam_unix.so.1
OTHER account required libpam_unix.so.1
#
# Session management
#
login session required libpam_hpsec.so.1
login session sufficient libpam_krb5.so.1
login session required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session sufficient libpam_krb5.so.1
dtlogin session required libpam_unix.so.1
dtaction session required libpam_hpsec.so.1
dtaction session sufficient libpam_krb5.so.1
dtaction session required libpam_unix.so.1
sshd session required libpam_hpsec.so.1
sshd session sufficient libpam_krb5.so.1
sshd session required libpam_unix.so.1
OTHER session required libpam_unix.so.1
#
# Password management
#
login password required libpam_hpsec.so.1
login password sufficient libpam_krb5.so.1
login password required libpam_unix.so.1
passwd password required libpam_hpsec.so.1
passwd password sufficient libpam_krb5.so.1
passwd password required libpam_unix.so.1
dtlogin password required libpam_hpsec.so.1
dtlogin password sufficient libpam_krb5.so.1
dtlogin password required libpam_unix.so.1
dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1
OTHER password required libpam_unix.so.1

HPUX - 11i v1

#
# PAM configuration
#
# This pam.conf file is intended as an example only.
# see pam.conf(4) for more details
#
################################################################
# This sample file will authenticate the user who belongs to #
# either Kerberos or Unix system. Using this configuration file#
# if the user is authenticated through Kerberos then the Unix #
# authentication will not be invoked. However,if the Kerberos #
# authentication fails for the user, then the fallback #
# authentication mechanism PAM-Unix will be invoked to #
# authenticate the user.The assumption is the user is either #
# present in Kerberos or in Unix system. #
# #
# In case, the administrator wants the password for all the #
# users to be synchronous between Kerberos and Unix systems, #
# then the control flag should to be set to "required" for all #
# the entries with user_first_pass option set for pam_unix. #
# If password synchronization is optional then try_first_pass #
# option need to be set for pam_unix, so that the user can #
# login using the appropriate passwords. #
################################################################
#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_krb5.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_krb5.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_krb5.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Account management
#
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account sufficient /usr/lib/security/libpam_krb5.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account sufficient /usr/lib/security/libpam_krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account sufficient /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account sufficient /usr/lib/security/libpam_krb5.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session sufficient /usr/lib/security/libpam_krb5.1
login session required /usr/lib/security/libpam_unix.1
dtlogin session sufficient /usr/lib/security/libpam_krb5.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session sufficient /usr/lib/security/libpam_krb5.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#
# Password management
#
login password sufficient /usr/lib/security/libpam_krb5.1
login password required /usr/lib/security/libpam_unix.1
passwd password sufficient /usr/lib/security/libpam_krb5.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password sufficient /usr/lib/security/libpam_krb5.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password sufficient /usr/lib/security/libpam_krb5.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1

Configuring Client SSH Access

Configuring Access Control

On HP-UX systems a PAM module called pam_authz is available and can be used to control login access to the system based on a user's group membership.

Refer to the HP-UX documentation on pam_authz for details on how to configure access control for HP-UX systems: http://docs.hp.com/en/B3921-60631/pam_authz.5.html

Here's a sample /etc/opt/ldapux/pam_authz.policy file

# pam_authz.policy.template:
#
# An example file that could be copied over to /etc/opt/ldapux/pam_authz.policy.
# pam_authz.policy is a local policy file that PAM_AUTHZ would use to help
# determine which users would be allowed to login to the local host.
#
# In this template file, by default, the only active access rule is 
#     "allow:unix_local_user"     
# All the local users are authorized to login. 
#
# The policy file contains one or more access rule. The format of an access
# rule is <action>:<type>:<object>
#
# where   <action> could be "deny", "allow", "status"
#                           "PAM_SUCCESS", "PAM_PERM_DENIED", "PAM_MAXTRIES"
#                           "PAM_AUTH_ERR", "PAM_NEW_AUTHTOK_REQD",
#                           "PAM_AUTHTOKEN_REQD, "PAM_CRED_INSUFFICIENT", 
#                           "PAM_AUTHINFO_UNAVAIL", "PAM_USER_UNKNOWN"
#                           "PAM_ACCT_EXPIRED", "PAM_AUTHOK_EXPIRED"
#
#                           Note: "status" must use along with "rhds" or
#                           "ads" <type>.
#         <type>   could be "unix_user", "unix_local_user", "unix_group",
#                           "netgroup", ldap_filter", "ldap_group"
#                           "rhds" or "ads"
#
#                           Note: When <type> is set to "rhds" or "ads",
#                           the <action> filed must set to "status".
#         <object> contains search information. For example,
#

deny:unix_group:admins
allow:unix_local_user 

This setting will not allow for example, the admin user to login
But local unix users can login

Testing the Configuration

You can use the following tests to validate the PAM and Kerberos configuration.

• On the HP-UX client machine, run kinit admin and enter the password.

kinit

# kinit admin

# klist (to verify that we have a valid ticket)

ssh

• From another linux client machine, attempt to log in via SSH, for example,

# ssh admin@hpuxipaclient.example.com

The admin user should be able to log in via SSH without being asked for a password.

console login

• On the HP-UX client console, at the login prompt, enter the admin login id and password or any ipa user id and password. The admin user should be able to log in from the console.

Note:

By default, the admin user is given /bin/bash as the shell to use and /home/admin as the home directory. You may need to install bash (or link sh to /bin/bash or modify admin to use /bin/sh or a shell available in all of your systems) to be able to log in.