HP UX Internet Express Software 4 User Authentication, Managing the LDAP Module for System Authentication

4 User Authentication

The Internet Express Administration utility lets you set up and manage user authentication with the LDAP Module for System Authentication, which serves as a central repository of user information, for identifying and authenticating individual users

This chapter describes the following:

•Section : Managing the LDAP Module for System Authentication

•Section : Overview of the LDAP Client

Managing the LDAP Module for System Authentication

The LDAP Module for System Authentication is a loadable authentication mechanism based on the Tru64 UNIX Security Integration Architecture. It intercepts security-related system calls and extracts the information from an LDAP Directory server. This allows you to use LDAP authentication without making any changes to application source code or recompiling.

The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the information available to users and applications across the network. An LDAP server can be used as a central repository of user information to identify and authenticate individuals. When used in this way, an LDAP server is similar to Network Information Services (NIS), also known as yellow pages. When compared to NIS, an LDAP server offers the following advantages:

•An LDAP directory is highly scalable

•LDAP directories are dynamically updated, saving administrators time because it is not necessary to rebuild maps and push them onto the network. Also, changes are available virtually immediately.

•An LDAP directory database can be used to centralize management of user related information

•The ability to modify an attribute can be controlled at the attribute level. Users can be allowed to modify noncritical information (such as their preferred login shell or mail forwarding address) on their own. Modifications to more sensitive information (such as UID, GID, or a user's home directory) can be restricted to authorized directory managers only.

•You can set up multiple LDAP servers to make the data in the directory highly available. Through a process called replication, you can ensure that all LDAP servers have identical copies of the directory. The LDAP servers bind to one another and through standard LDAP commands, propagate changes to the directory.

When you install and enable the LDAP Module for System Authentication subset, user and group authentication takes place through an LDAP server. For example, an LDAP server transparently provides authentication information for login (rlogin, ftp, telnet) and mail (POP and IMAP). For users not found in the LDAP directory, authentication will automatically fall back to using the local authentication mechanism (/etc/passwd) and/or NIS, if it is configured.

When the LDAP Module for System Authentication is installed on your system, the Administration utility for Internet Express provides the following capabilities:

•You can configure the LDAP Module for System Authentication and test changes to the configuration (see Section : Configuring the LDAP Module for System Authentication)

•When you create any user account (captive or noncaptive, named or generic), you can elect to have the account information stored in an LDAP database (if you are using an LDAP directory server in your environment)

•You can enable and disable the LDAP Module for System Authentication to authenticate users through LDAP or through traditional UNIX methods, respectively

Managing the LDAP Module for System Authentication 65