Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)
4 User Authentication
The Internet Express Administration utility lets you set up and manage user authentication with
the LDAP Module for System Authentication, which serves as a central repository of user
information, for identifying and authenticating individual users
This chapter describes the following:
• Section 4.1: Managing the LDAP Module for System Authentication
• Section 4.6: Overview of the LDAP Client
4.1 Managing the LDAP Module for System Authentication
The LDAP Module for System Authentication is a loadable authentication mechanism based on
the Tru64 UNIX Security Integration Architecture. It intercepts security-related system calls and
extracts the information from an LDAP Directory server. This allows you to use LDAP
authentication without making any changes to application source code or recompiling.
The Lightweight Directory Access Protocol (LDAP) is an Internet standard directory service
protocol that runs over TCP/IP. An LDAP server manages entries in a directory, and makes the
information available to users and applications across the network. An LDAP server can be used
as a central repository of user information to identify and authenticate individuals. When used
in this way, an LDAP server is similar to Network Information Services (NIS), also known as
yellow pages. When compared to NIS, an LDAP server offers the following advantages:
• An LDAP directory is highly scalable
• LDAP directories are dynamically updated, saving administrators time because it is not
necessary to rebuild maps and push them onto the network. Also, changes are available
virtually immediately.
• An LDAP directory database can be used to centralize management of user related
information
• The ability to modify an attribute can be controlled at the attribute level. Users can be allowed
to modify noncritical information (such as their preferred login shell or mail forwarding
address) on their own. Modifications to more sensitive information (such as UID, GID, or a
user's home directory) can be restricted to authorized directory managers only.
• You can set up multiple LDAP servers to make the data in the directory highly available.
Through a process called replication, you can ensure that all LDAP servers have identical
copies of the directory. The LDAP servers bind to one another and through standard LDAP
commands, propagate changes to the directory.
When you install and enable the LDAP Module for System Authentication subset, user and group
authentication takes place through an LDAP server. For example, an LDAP server transparently
provides authentication information for login (rlogin, ftp, telnet) and mail (POP and IMAP).
For users not found in the LDAP directory, authentication will automatically fall back to using
the local authentication mechanism (/etc/passwd) and/or NIS, if it is configured.
When the LDAP Module for System Authentication is installed on your system, the Administration
utility for Internet Express provides the following capabilities:
• You can configure the LDAP Module for System Authentication and test changes to the
configuration (see Section 4.2: Configuring the LDAP Module for System Authentication)
• When you create any user account (captive or noncaptive, named or generic), you can elect
to have the account information stored in an LDAP database (if you are using an LDAP
directory server in your environment)
• You can enable and disable the LDAP Module for System Authentication to authenticate
users through LDAP or through traditional UNIX methods, respectively
Chapter 11 describes how to administer Internet Express-provided Directory servers.
4.1 Managing the LDAP Module for System Authentication 69