Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX AAA Server A.07.01 Administrator’s Guide: HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 > Chapter 8 Configuring Realms

Configuring Realms for Authentication using an External Server
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This section discusses how to configure realms for authentication using Database via SQL Access, Lightweight Directory Access Protocol (LDAP), Oracle authentication module, and SecureID/ACE server.

Configuring Realms for Database Access via SQL

A realm can be configured for Database Access via SQL only after setting up the HP-UX AAA Server to connect to the database and configuring the connection parameters and SQL actions in sqlaccess.config. See Chapter 18: “SQL Access” for details on setting up the HP-UX AAA Server for SQL Access.

Perform the following steps to configure the realm for Database Access via SQL.

  1. From the navigation tree, click Local Realms.

  2. On the Local Realms screen, click New Local Realm to open the Local Realm Attributes screen.

  3. In the Name field, enter the name of the realm for which the user profiles are stored in a database and accessed using the SQL Access feature.

    The name does not have to be a DNS host name. However, HP recommends that you set the realm name to correspond with the domain name. This enables the user@realm syntax to resemble the e-mail address for all the users in the domain.

  4. In the User Profile Storage field, select Database Access via SQL.

    The user storage parameters for Database Access via SQL are displayed as shown in.

    Figure 8-4 User Storage Parameters for Database Access via SQL

    User Storage Parameters for Database Access via SQL

  5. In the User Storage Parameters Field, select one of the following options:

    • RADIUS Attribute: Specify the RADIUS attribute in the <vendorID>:<attribute> format. This RADIUS attribute must contain the SQL action used for authentication. If vendorID is not specified, 0 that corresponds to standard RADIUS attribute will be used.

      NOTE: The <vendorID> component must be a value that is defined in the vendors file and the <attribute> component must be a value that is defined in the dictionary file.

    • SQL Action Id: Select the SQL action from the drop-down list.

    IMPORTANT: Ensure that the appropriate SQL action is selected from the drop-down list. Selecting an incorrect SQL action can result in an authentication failure or unintentional changes to the database records.

  6. Complete any remaining optional fields as necessary for your configuration.

  7. Click Create. If the realm is successfully created, the Local Realms screen will list the new realm.

  8. From the navigation tree, click Save Configuration

    If you have multiple remote servers, you will be prompted to select and confirm the servers where the realm configuration will be applied.

Configuring Realms for LDAP

This section discusses how to configure realms for Lightweight Directory Access Protocol (LDAP). These realms can be configured only after setting up the LDAP server. See Chapter 17: “LDAP Authentication” for information on setting up an LDAP server.

To configure each realm using LDAP, you must specify the directory server, search base, and other parameters necessary to find profiles for the users in the realm.

Complete the following steps to configure realms for LDAP:

  1. From the navigation tree, click Local Realms.

  2. On the Local Realms screen, click New Local Realm to open the Local Realm Attributes screen.

  3. In the Name field, enter the name of the realm to map to the defined LDAP location. This name does not have to be a DNS host name. However HP recommends that the realm name corresponds with the domain name. This way, the user recognizes the user@realm syntax which resembles their e-mail address.

  4. In the User Authentication Field, select the authentication methods to authenticate users for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP, select Enable RADIUS Standard. For all other methods, select Enable EAP and choose at least one EAP method from the drop-down list.

  5. In the User Profile Storage field, select LDAP.

    The user storage parameters for LDAP appear when you select LDAP from the User Profile Storage drop-down list. These parameters identify a section of the directory tree on one or more LDAP servers where the HP-UX AAA software will attempt to retrieve user profiles.

  6. In the User Storage Parameters Field, select New LDAP Directory or the name of an existing LDAP Directory.

  7. In the LDAP screen that appears, configure the LDAP directory using the information described in Table 8-3.

    Table 8-3 Values for Configuring Realms for LDAP

    Value

    		Description

    Directory Name

    Start of a directory configuration. Give a name to the directory, which can be an arbitrary string. If the name contains spaces or tabs, the string must be enclosed in single or double quotes.

    Host

    Name of the host on which the LDAP directory server runs. The value must be a fully qualified DNS name, although an IP address also works. Both traditional IP (IPv4) and IPv6 address formats are supported. The HP-UX AAA Server can resolve DNS name format entries to IPv4 and IPv6 addresses.

    Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6 Literal format notation. For example:

    IPv4 address — 192.0.2.0

    IPv6 address — fedc:ba98:7654:3210:fedc:ba98:7654:3210

    Port (Optional)

    		Port number on which the directory server is running. Default value is 389.
    Use SSLEnables or disables SSL connections between the HP-UX AAA Server and the LDAP directory. If you are enabling SSL, you must specify the server's CA certificate path or fully qualified file name in the Server Properties -> ProLDAP Properties window.

    Administrator

    Special user ID used when an authenticated search is allowed on the LDAP directory server. This administrator does not need to be a real administrator of the LDAP directory server, but must have read access to all the users (and their passwords). Intended to be authenticated by the AAA server.

    Password

    Password for Administrator to bind (authenticate) itself to the LDAP directory server.

    Search Base

    Pointer into the directory where the search for users in a realm starts. Specifying a search base improves server performance by limiting the scope of search operations on user information for a particular realm. A search base contains a list of A-V pairs that trace a path from a location in the directory's schema to the top of the directory. For example, a search base of o=hp, c=US represents a search for one of the users on the following tree:

               c=US
____________|_______
            |
           o=hp
____________|____________________
|         |        |        |
uid=Joe uid=Bob uid=Dawn uid=Maria

    The A-V pairs used depend on the schema of your particular directory server.

    NOTE: It is more efficient to start your search lower in the directory structure rather than higher. HP recommends that you eliminate spaces between Search Base components (i.e., instead of ou=abc,o=cde, c=us, use ou=abc,o=cde,c=us).

    Filter

    Filter flag allows authentication to be based either on the LDAP uid attribute, which normally is CIS, or on the AAA Server User-Id attribute, which is normally BIN. User-Id is a AAA Server-specific RADIUS attribute. This optional flag defaults to uid.

    IMPORTANT: With multiple LDAP directory servers, the Filter used for lookups must be consistent across all directories specified for a particular realm. Potential filters are uid, User-Id or some other key that uniquely identifies a subject to be authenticated on the system. Currently, the LDAP module does not enforce the use of consistent filters, but using inconsistent filters may produce unpredictable authentication failures.

    Authentication Type

    • AUTO performs a search as the configured Administrator (searches anonymously if no administrator is configured), anticipating the password is in the result. It binds as the user if the password is not available. This mode makes the AAA server flexible in accommodating LDAP directories. If directories are configured to return passwords with search, AUTO is equivalent to SEARCH.

    • BIND binds as the user for authentication.

    • SEARCH performs a search as the configured Administrator and expects the user's password in the search result.

     

  8. In the LDAP screen, click Save.

  9. Repeat steps 6 and 7 for each redundant directory you wish to use for failover.

  10. Complete any remaining optional fields as necessary for your configuration.

  11. Click Create.

  12. From the navigation tree, click Save Configuration

    If you have multiple remote servers you will be prompted to select and confirm which servers you wish to add the entry to.

Modifying a Directory Configuration

Complete the following steps to modify a directory configuration:

  1. On the Local Realms screen, select the name of the directory definition you wish to modify.

  2. Change the values if needed.

  3. Click Modify.

Deleting a Directory Configuration

Complete the following steps to delete a directory configuration:

  1. On the Local Realms screen, select the name of the directory definition you wish to delete.

  2. Click Delete.

Tuning the AAA Server to LDAP Server Connection

The AAA server to LDAP server connection can be modified by adding the following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server: 

aatv.ProLDAP
{
        Retry-Interval 60
        Retry-Wait 1
        Timeout 60
        TCP-Timeout 3
        Debug 0
}

  • Retry-Interval sets the number of seconds for the AAA server to wait before trying to reconnect to a LDAP directory server when a realm has failover directory servers configured. Default value is 60 seconds.

  • Retry-Wait sets the number of seconds that the AAA server will wait before attempting to connect to the same failover LDAP server. When all failover directory servers configured for a realm are down, the AAA server will try to reconnect to one every time an access request is received. In that situation, this parameter guarantees that the software does not spend too much time in trying to reconnect those directory servers. Default value is 1 second.

  • Timeout sets the number of seconds that an LDAP connection will remain open when the AAA server has not been able to successfully perform any successful LDAP operation. This parameter allows better handling of the situation where the LDAP directory times out client connections.

  • TCP-Timeout sets the number of seconds that the AAA server will wait for an LDAP server when trying to establish the Transmission Control Protocol (TCP) connection.

  • Debug determines whether OpenLDAP debug messages should be written to the AAA server radius.debug file. A value of 0 disables writing these messages; a value of -1 enables writing these messages. The syntax of this property follows a block syntax that is different from the other aaa.config variables.

Configuring Realms for Oracle

This section discusses how to configure realms for Oracle authentication. These realms can be configured only after setting up the Oracle database server. See Chapter 19: “Oracle Authentication (Supported Using SQL Access)” for more information on setting up the Oracle database server for Oracle authentication.

To authenticate users stored in an Oracle database, you must configure the AAA server, run the db_srv daemon on each Oracle host machine, and configure one or more Oracle databases with user information according to your requirements. See “Configuring the Oracle Database ” for information on how to configure your Oracle database.

Configuring the HP-UX AAA Server Using Server Manager

For each realm using Oracle authentication, you must specify the Oracle server.

Complete the following steps to configure the HP-UX AAA Server Manager for Oracle authentication:

  1. From the navigation tree, click Local Realms to open the Local Realms screen.

  2. Click the New Realm link to open the Realm Attributes screen.

  3. In the Name field, enter the name of the realm. This name does not have to be a DNS host name. However, HP recommends that the realm name corresponds with the domain name. This way, the user recognizes the user@realm syntax that resembles their e-mail address.

  4. In the User Profile Storage, select Oracle.

    When you select Oracle from the User Profile Storage drop-down list, a drop-down list appears in the User Storage Parameters section of the form. This drop-down list allows you to create and modify Oracle configurations for the realm.

  5. In the User Storage Parameters drop-down list, select New Oracle Server, or the name of an existing Oracle server.

  6. Complete the Oracle Server screen (shown in Figure 8-5) that appears by specifying the host name or IP address of the Oracle server ( db_srvdaemon), followed by the port number that it uses.

    Figure 8-5 New Oracle Server Screen

    New Oracle Server Screen

    You can list an unlimited number of Oracle servers. However, in this context, you must use the appropriate number of servers based on the number of requests received, and machine performance. Each listed server must have a unique DNS name and port.

  7. Repeat steps 6 and 7 for each redundant directory you wish to use.

    NOTE: AAA authentication automatically performs load balancing and failover in a round robin fashion across all servers listed for a realm. You cannot configure the functioning of these features. 

  8. On the Oracle Server screen, click Save.

  9. Complete any of the remaining optional fields as necessary for your configuration.

  10. Click Create.

  11. Repeat these steps as necessary for your configuration.

  12. From the navigation tree, click Save Configuration.

    CAUTION: Clicking Save saves the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.
To Configure and Run the db_srv Daemon

The db_srv daemon is the client that interfaces with the Oracle database and the HP-UX AAA servers. You must run a daemon for each Oracle database you wish to access (but only one db_srv for all AAA connections, since db_srv will fork a child process for each AAA server). The AAA server automatically performs load balancing and failover across multiple databases.

You should run the daemon by executing the /opt/aaa/bin/start_db_srv.sh script. Before running the script, you must edit the script's configuration file, /etc/opt/aaa/db_srv.opt, as follows:

#! /bin/sh
########################################################
# # WARNING: # For security purposes, this file should be readable,
# writable and executable only by the aaa owner 
# or group aaa  (Permission 660) 
#########################################################
#########################################################
# You will need to set the following Oracle environment 
# variables according to your Oracle configuration. 
######################################################### 
ORACLE_HOME=<Oracle Home directory>
SHLIB_PATH=$SHLIB_PATH:$ORACLE_HOME/lib  

DB_SRV_PORT=<db_srv port number> 
DB_SRV_ORA_UID=<Oracle username> 
DB_SRV_ORA_PWD=<Oracle password> 
DB_SRV_ORA_SID=<Oracle SID> 
export DB_SRV_PORT DB_SRV_ORA_UID DB_SRV_ORA_PWD DB_SRV_ORA_SID  
export ORACLE_HOME SHLIB_PATH
DB_SRV_PORT=port

Port number that db_srv scans for incoming authentication requests from the remote AAA server. Any available port number can be used. However, typically port numbers greater than 4000 are used, since port numbers for standard services are usually less than 4000. If multiple db_srv daemons are running on the same machine, each daemon must be listening to a different port.

DB_SRV_ORA_UID=userid

Oracle user name used to access the database.

DB_SRV_ORA_PWD=password

Oracle password used to access the database.

DB_SRV_ORA_SID=dbid

Oracle ID for the database to connect to when more than one database exists on the machine. If the parameter is omitted, the daemon connects to the default database, which is defined during database installation.

ORACLE_HOME=path

Directory where Oracle database was installed.

To enable debug logging for troubleshooting purposes, in /opt/aaa/bin/start_db_srv.sh, modify the line:

/opt/aaa/bin/db_srv to /opt/aaa/bin/db_srv -x
CAUTION: The configuration script /etc/opt/aaa/db_srv.optcontains information that can be used to gain access to the Oracle database. Read access rights must therefore be limited.
Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon

There are two scripts provided to stop and start the HP-UX AAA Server Oracle client daemon. Before executing start_db_srv.sh, the environment variables in the configuration script /etc/opt/aaa/db_srv.optneed to be edited.

/opt/aaa/bin/start_db_srv.sh [-f clscript]
/opt/aaa/bin/stop_db_srv.sh [-p pid]

Table 8-4 Options

OptionDescription
-fcl scriptFile that defines the Oracle user and database identity for db_srv. If omitted, the default file is /etc/opt/aaa/db_srv.opt
-p pidSpecifies a specific db_srv process to terminate. If omitted, all db_srv processes are selected.

 

NOTE: If db_srv.opt is not installed in the default location, you can use a -fpath command line option when running the start_db_srv.sh script, where path is the location of the configuration file.

Configuring a SecurID Realm

For each realm using SecurID, you must associate the realm name with the ACE/Server that will perform the authentication.

To create a SecurID realm with Server Manager, complete the following steps:

  1. From the navigation tree, click Local Realms.

  2. In the Local Realms screen that appears, click the New Local Realm link. The Realm Attributes screen appears.

  3. In the Name field, enter the name of the realm to map to the defined SecurID location.

  4. From the Realm Type drop-down list, select Authentication.

  5. From the User Storage Parameters field, select SecurID/ACE server.

    The Password Authentication option is preselected because only PAP authentication is supported with the SecurID authentication type.

  6. Complete any of the remaining optional fields as necessary for your configuration.

  7. Click Create.

  8. Repeat these steps as many times as necessary for your configuration.

  9. From the navigation tree, click Save Configuration.

    CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.


Deleting a Realm
  		 


Chapter 9 Configuring Proxies  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.