HP UX LDAP-UX Integration Software Manage account and password policies, Password expiration

Page 22

Manage account and password policies

One of the benefits of the integration is a single point of account management. So, you will be able to manage and enforce account and password policies by using Active Directory. The Active Directory Users and Computers allows you to set account options and account expiration, etc. Those policies will become effective either when a user logs into Windows 2000 or the HP-UX machine.

Known problems and limitations

Slow performance on object enumeration

If you need to enumerate directory objects via getpwent() or getgrent() and you have a large database in Active Directory (for example, more than 5,000 objects), you may experience slow performance depending on the hardware model of your PC. Some HP-UX commands (e.g. finger, groups, newgrp) with implementation dependencies on getgrent() may also experience the performance degradation.

Password expiration

When a user’s password expires, Windows 2000 prompts for the new password, then allows the user to login using the new password. But if the user logs into HP-UX before he changes his password in Windows 2000, the user will not be prompted for a new password and cannot login. The Windows 2000 administrator will have to reset the user’s password, or the user has to log into Windows 2000 client to get a new password before he/she can log into HP-UX machines.

User forced to change password

If the account option “User must change password at next logon” is set, the user cannot log into HP-UX machines even through the password is still valid.

User name length

HP-UX 1l.x limits the length of a user name to 8 characters or less, which is not a limitation for Windows 2000. So, if a user is to be added for HP-UX or both, you cannot set the field “User logon name” longer than 8 characters.

End user

Login procedure

The integration is invisible to end users. Whether logging into Windows 2000 or HP-UX, they use the same procedure as they do without integration.

Password change

Users change their passwords as usual, regardless which platform they log into. If the password is changed from Windows 2000, the new password is also good for logging into HP-UX, and vice versa.

Shell/finger information change

The shell and finger information stored in Active Directory can not be changed using chsh/chfn. The Windows 2000 system adiminstrator can use the Active Directory Users and Computers tool to change them.

22

Page 21 Page 23
Image 22
Page 21 Page 23
Contents White Paper Legal Notices Copyright NoticesIntroduction PAM and NSS HP-UX and Windows 2000 Integration ProductsPAM Kerberos Windows Kerberos ServicesServices for Unix SFU Active Directory ADNIS Server HP-UX Client How HP-UX and Windows 2000 Products IntegrateNIS Integration Windows 2000 ServerNIS+PAMKerberos HP-UX client HP-UX Client Windows 2000 Server Ldap IntegrationLdap + PAMKerberos HP-UX Client Windows 2000 Server NIS vs. Ldap Integration Common Data Repository Common AuthenticationBenefits of Integration Single Point of Account ManagementInstall SFU 2.0, including Server for NIS Configuring Windows 2000 and HP-UX Using NIS IntegrationInstall Active Directory into your Windows 2000 server Add an account for HP-UX client machine to ADNIS Client Configuration PAM Kerberos ConfigurationCreate /etc/krb5.conf Add the Kerberos services to /etc/servicesAdd a host key to the /etc/krb5.keytab file Change /etc/pam.conf to use PAM Kerberos Synchronize the HP-UX clock to the Windows 2000 clockPassword sufficient /usr/lib/security/libpamunix.1 Software Installation Configuring Windows 2000 and HP-UX Using Ldap IntegrationActive Directory Configuration Run the setup tool LDAP-UX Client Services ConfigurationVerify profile cache Configure a proxy user Change Name Service Switch NSS to use LdapSecurity Add and delete groups AdministrationAdd and delete user accounts User forced to change password Manage account and password policiesPassword expiration Login procedureMigration Appendix a Setting a Proxy User’s Access Rights Read memberUid Read msSFUPassword Read msSFUName
Related manuals
Manual 214 pages 54.35 Kb Manual 65 pages 7.83 Kb
Top Page Image Contents