HP HP-UX LDAP-UX Integration White Paper

Integrating HP-UX 11.x Account Management and

Authentication with Microsoft Windows 2000

White Paper

Printed in: U.S.A.

Legal Notices

The information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors

contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Warranty. A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Office.

Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR

52.227-19 for other agencies. Hewlett-Packard Company

19420 Homestead Road Cupertino, California 95014 U.S.A.

Copyright Notices ©copyright 2001 Hewlett-Packard Company, all rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed

under the copyright laws. Posix is a registered trademark of the IEEE. UNIX is a registered trademark of The Open Group. NIS is a trademark of Sun Microsystems, Inc. Active Directory and Windows are either registered trademarks or trademarks of Microsoft Corporation. Other product and brand names are trademarks of their respective owners.

Introduction

Many enterprises contain a mixture of operating systems and platforms. Often a single user has both Windows 2000 and UNIX accounts on multiple systems. Having a common authentication service and account information data store across platforms improves security, administration and the end-user experience.

Windows 2000 servers provide network-wide common authentication and data storage, but Windows clients don’t interoperate with other vendor’s solutions. Fortunately, HP-UX can dynamically add authentication and name service libraries to an existing system, allowing it to utilize a variety of services. The basis of the Microsoft services comes from industry standard protocols (Kerberos mostly requires configuration modifications to handle the differences between Microsoft’s implementation and those of other providers of similar services.

This white paper describes how to use existing products to integrate HP-UX authentication, user and group management with Microsoft Windows 2000. Utilizing the LDAP-UX Client Services and PAM Kerberos Authentication products from HP, and Microsoft’s Services for UNIX 2.0 (SFU), the Windows 2000 Active Directory (AD) can be used as a common data store for both Windows 2000 and HP-UX. In addition, HP-UX users can be authenticated using the same user name, password and Kerberos server utilized by the Windows clients.

and LDAP2) already supported by HP-UX. Integrating HP-UX as a client of these services

“The Kerberos Network Authentication Service (V5)”, J. Hohl, C. Neuman, IETF RFC 1510, September 1993

“Lightweight Directory Access Protocol (v3)”, M. Wahl, T. Howes, S. Kille, IETF RFC 2251, December 1997

HP-UX and Windows 2000 Integration Products

Both HP-UX and Windows 2000 operating systems offer new features which make the integration possible.

HP-UX

The following products, released as part of the system core and via Application CDs, provide the framework allowing HP-UX to become more flexible and more interoperable:

PAM and NSS: As of release 11.0, HP-UX supports the Name Service Switch (NSS) and Pluggable Authentication Module (PAM)

architecture. These architectures provide a method to install and configure multiple name and authentication services without affecting the higher level commands and APIs. For example, by installing the PAM Kerberos authentication library, and modifying the file /etc/pam.conf, the HP-UX login command will now authenticate users with a Kerberos server, instead of using the default local PAM_UNIX authentication.

NSS and PAM give HP-UX system administrators the flexibility to choose where to store user account information and how to authenticate a user who wants to login to the system.

LDAP-UX: The LDAP-UX integration product, released in March 2001 on the HP-UX Application CD, includes a NSS library that

retrieves account and group information from Lightweight Directory Access Protocol (LDAP) v3 compliant data repositories. It is designed with the goal of being di rectory vendor neutral, and flexible regarding tree structur e, schema and naming convention. There fore, through some configuration mod i fic ations, the NSS LDAP library will be able to retrieve information from the Windows 2000 directory service.

PAM Kerberos: The PAM Kerberos product supports Kerberos authentication, which authenticates users without sending plain text passwords

over the network. HP-UX PAM Kerberos has been tested with Microsoft Windows 2000 and MIT Kerberos V5 Key Distribution Center (KDC).

The following figure shows how these components work together:

getp

getg

()

…..

….

PAM:

PAM Library

PAM_UNIX PAM_LDAP PAM_Kerberos

NSS:

SS_FILES

wnam()

SS Engine

SS_NIS

rnam

SS_LDAP

Application services

Reads /etc/pam.conf to see which authentication module to use

Authentication modules

APIs to access user/system information

Reads /etc/nsswitch.conf to decide which name service module to use

ame service modules

Windows 2000

Following two primary Windows 2000 features built on top of existing industry standards improve Windows 2000’s capability to interoperate with UNIX platforms:

Active Directory (AD): This is an LDAP based directory which Windows 2000 uses to store all its data. LDAP is an open internet standard. The

support of LDAP allows Windows 2000 to interoperate with other vendors’ LDAP directory enabled applications. Kerberos Services: Kerberos is the primary authentication method for Microsoft clients connecting to Windows 2000 server. Kerberos is an

industry standard for network security. With the support of Kerberos authentication, Windows 2000 is able to authenticate Kerberos clients rega rdless of what platforms the clients reside on.

Active Directory and Kerberos are integrated seamlessly in the Windows 2000 operating system. Active Directory domain controllers are automatically configured to provide Kerberos with authentication services, and by default, all Windows 2000 computers are configured to operate as Kerberos clients.

Services for UNIX (SFU):

Other than operating system improvements, Microsoft also provides the Services for UNIX (SFU) product to enhance the interoperability with UNIX-based systems. SFU 2.0 has features which make setting up a mixed enterprise environment a lot easier.

The following figure illustrates the Windows 2000 components that HP-UX depends on for proper integration:

Kerberos Services

Windows 2000 authentication services

SFU

2.0

1. NIS Server

Active Directory Windows 2000 data store

2. AD schema extension

Retrieve account information

How HP-UX and Windows 2000 Products Integrate

There are two approaches to integrate HP-UX account managemant and authentication with Windows 2000:

• NIS

• LDAP

NIS Integration:

Windows 2000 as NIS Server + HP-UX as NIS Client + HP-UX PAM_Kerberos

Server for NIS is one of the SFU 2.0 tools, which enables Windows 2000 to serve as an NIS server. It utilizes AD to store user account and group information. An NIS client on HP-UX communicates with the NIS server on Windows 2000 to retrieve information from AD. The PAM Kerberos product on HP-UX uses Windows 2000 Kerberos Services to authenticate users who want to log into HP-UX machines. Although PAM_UN IX can authenticate use rs stored in an NIS server, it is not a good choice for this integration, because PAM_UNIX mainly retrieves user account information from the server, then authenticates users on the client machine, which doesn’t have the benefit of common authentication. The following figure illustrates the integration between two NIS platforms.

NIS:

HP-UX Client Windows 2000 Server

getpwnam()

NSS engine

IS protocol

NSS_NIS

Server for NIS (SFU 2.0)

Active Directory

NIS+PAM_Kerberos:

HP-UX client Windows 2000 server