Configuring Realms for Authentication using an External Server

This section discusses how to configure realms for authentication using Database via SQL Access, Lightweight Directory Access Protocol (LDAP), Oracle authentication module, and SecureID/ACE server.

Configuring Realms for Database Access via SQL

A realm can be configured for Database Access via SQL only after setting up the HP-UX AAA Server to connect to the database and configuring the connection parameters and SQL actions in sqlaccess.config. See Chapter 17 “SQL Access” for details on setting up the HP-UX AAA Server for SQL Access.

Perform the following steps to configure the realm for Database Access via SQL.

From the navigation tree, click Local Realms.
On the Local Realms screen, click New Local Realm to open the Local Realm Attributes screen.
In the Name field, enter the name of the realm for which the user profiles are stored in a database and accessed using the SQL Access feature.

The name does not have to be a DNS host name. However, HP recommends that you set the realm name to correspond with the domain name. This enables the user@realm syntax to resemble the e-mail address for all the users in the domain.
In the User Profile Storage field, select Database Access via SQL.
The user storage parameters for Database Access via SQL are displayed as shown in.
Figure 8-4 User Storage Parameters for Database Access via SQL

In the User Storage Parameters Field, select one of the following options:

RADIUS Attribute: Specify the RADIUS attribute in the <vendorID>:<attribute> format. This RADIUS attribute must contain the SQL action used for authentication. If vendorID is not specified, 0 that corresponds to standard RADIUS attribute will be used.
NOTE: The <vendorID> component must be a value that is defined in the vendors file and the <attribute> component must be a value that is defined in the dictionary file.
SQL Action Id: Select the SQL action from the drop-down list.




	IMPORTANT: Ensure that the appropriate SQL action is selected from the drop-down list. Selecting an incorrect SQL action can result in an authentication failure or unintentional changes to the database records.

Complete any remaining optional fields as necessary for your configuration.
Click Create. If the realm is successfully created, the Local Realms screen will list the new realm.
From the navigation tree, click Save Configuration
If you have multiple remote servers, you will be prompted to select and confirm the servers where the realm configuration will be applied.

Configuring Realms for LDAP

This section discusses how to configure realms for Lightweight Directory Access Protocol (LDAP). These realms can be configured only after setting up the LDAP server. See Chapter 16 “LDAP Authentication” for information on setting up an LDAP server.

To configure each realm using LDAP, you must specify the directory server, search base, and other parameters necessary to find profiles for the users in the realm.

Complete the following steps to configure realms for LDAP:

From the navigation tree, click Local Realms.
On the Local Realms screen, click New Local Realm to open the Local Realm Attributes screen.
In the Name field, enter the name of the realm to map to the defined LDAP location. This name does not have to be a DNS host name. However HP recommends that the realm name corresponds with the domain name. This way, the user recognizes the user@realm syntax which resembles their email address.
In the User Authentication Field, select the authentication methods to authenticate users for the realm. If you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP, select Enable RADIUS Standard. For all other methods, select Enable EAP and choose at least one EAP method from the drop-down list.
In the User Profile Storage field, select LDAP.
The user storage parameters for LDAP appear when you select LDAP from the User Profile Storage drop-down list. These parameters identify a section of the directory tree on one or more LDAP servers where the HP-UX AAA software will attempt to retrieve user profiles.
In the User Storage Parameters Field, enter the Policy-Pointer, and select the Filter Type and the LDAP Directory Window.
- Policy-Pointer - Enter the Distinguished name (DN) for the HP-UX AAA software to locate the policy object in configured directories. A policy may be assigned with a policy pointer so that it will apply to every incoming request for users in this realm. This field is only required if you are implementing policy stored on an LDAP server. See “Authentication with LDAP ” for more information on policy.
- Filter-Type - Check the CIS or BIN check-box to allow the HP-UX AAA software to treat the user id either as BIN (binary, case-sensitive) or CIS (not case-sensitive). When CIS is used, a user id normalization will be done to convert all the characters to upper case before issuing the LDAP search operation. A NAI (RFC 2486) conformation check is done to reject any user with non-RFC-2486 characters in the id.
- LDAP Directory Window - Select New LDAP Directory or the name of an existing LDAP Directory.

In the LDAP screen that appears, configure the LDAP directory using the information described in Table 8-3 “Values for Configuring Realms for LDAP”.

Table 8-3 Values for Configuring Realms for LDAP

Value

Description

Directory Name

Start of a directory configuration. Give a name to the directory, which can be an arbitrary string. If the name contains spaces or tabs, the string must be enclosed in single or double quotes.

Host

Name of the host on which the LDAP directory server runs. The value must be a fully qualified DNS name, although an IP address also works. Both traditional IP (IPv4) and IPv6 address formats are supported. The HP-UX AAA Server can resolve DNS name format entries to IPv4 and IPv6 addresses.

Enter an IPv4 address in dotted-quad notation. Enter an IPv6 address in IPv6 Literal format notation. For example:

IPv4 address- 192.0.2.0
IPv6 address- fedc:ba98:7654:3210:fedc:ba98:7654:3210

Port (Optional)

Port number on which the directory server is running. Default value is 389.

Administrator

Special user ID used when an authenticated search is allowed on the LDAP directory server. This administrator does not need to be a real administrator of the LDAP directory server, but must have read access to all the users (and their passwords). Intended to be authenticated by the AAA server.

Password

Password for Administrator to bind (authenticate) itself to the LDAP directory server.

Search Base

Pointer into the directory where the search for users in a realm starts. Specifying a search base improves server performance by limiting the scope of search operations on user information for a particular realm. A search base contains a list of A-V pairs that trace a path from a location in the directory's schema to the top of the directory. For example, a search base of o=hp, c=US represents a search for one of the users on the following tree:

                     c=US
            ____________|_______
                        |
                       o=hp
________|__________________________
|           |       |           |
uid=Joe  uid=Bob  uid=Dawn  uid=Maria

The A-V pairs used depend on the schema of your particular directory server.




	NOTE: It is more efficient to start your search lower in the directory structure rather than higher. HP recommends that you eliminate spaces between Search Base components (i.e., instead of `ou=abc`, `o=cde`, `c=us`, use `ou=abc`,`o=cde`,`c=us`).

Filter

Filter flag allows authentication to be based either on the LDAP uid attribute, which normally is CIS, or on the AAA Server User-Id attribute, which is normally BIN. User-Id is a HP-UX AAA Server-specific RADIUS attribute. This optional flag defaults to uid.




	IMPORTANT: With multiple LDAP directory servers, the Filter used for lookups must be consistent across all directories specified for a particular realm. Potential filters are uid, User-Id or some other key that uniquely identifies a subject to be authenticated on the system. Currently, the LDAP module does not enforce the use of consistent filters, but using inconsistent filters may produce unpredictable authentication failures.

Authentication Type

AUTO performs a search as the configured Administrator (searches anonymously if no administrator is configured), anticipating the password is in the result. It binds as the user if the password is not available. This mode makes the AAA server flexible in accommodating LDAP directories. If directories are configured to return passwords with search, AUTO is equivalent to SEARCH.
BIND binds as the user for authentication.
SEARCH performs a search as the configured Administrator and expects the user's password in the search result.

In the LDAP screen, click Save.
Repeat steps 6 and 7 for each redundant directory you wish to use for failover.
Complete any remaining optional fields as necessary for your configuration.
Click Create.
From the navigation tree, click Save Configuration
If you have multiple remote servers you will be prompted to select and confirm which servers you wish to add the entry to.

Modifying a Directory Configuration

Complete the following steps to modify a directory configuration:

On the Local Realms screen, select the name of the directory definition you wish to modify.
Change the values if needed.
Click Modify.

Deleting a Directory Configuration

Complete the following steps to delete a directory configuration:

On the Local Realms screen, select the name of the directory definition you wish to delete.
Click Delete.

Tuning the HP-UX AAA Server to LDAP Server Connection

The HP-UX AAA Server to LDAP server connection can be modified by adding the following entry to /etc/opt/aaa/aaa.config and then stopping and starting the server:

aatv.ProLDAP
{
 Retry-Interval 60
 Retry-Wait 1
 Timeout 60
 TCP-Timeout 3 
 Debug 0
}

Retry-Interval sets the number of seconds for the HP-UX AAA Server to wait before trying to reconnect to a LDAP directory server when a realm has failover directory servers configured. Default value is 60 seconds.
Retry-Wait sets the number of seconds that the HP-UXAAA Server will wait before attempting to connect to the same failover LDAP server. When all failover directory servers configured for a realm are down, the HP-UX AAA Server will try to reconnect to one every time an access request is received. In that situation, this parameter guarantees that the software does not spend too much time in trying to reconnect those directory servers. Default value is 1 second.
Timeout sets the number of seconds that an LDAP connection will remain open when the HP-UX AAA Server has not been able to successfully perform any successful LDAP operation. This parameter allows better handling of the situation where the LDAP directory times out client connections.
TCP-Timeout sets the number of seconds that the HHP-UX AAA Server will wait for an LDAP server when trying to establish the Transmission Control Protocol (TCP) connection.
Debug determines whether OpenLDAP debug messages should be written to the HP-UX AAA Server radius.debug file. A value of 0 disables writing these messages; a value of -1 enables writing these messages. The syntax of this property follows a block syntax that is different from the other aaa.config variables.

Configuring Realms for Oracle

This section discusses how to configure realms for Oracle authentication. These realms can be configured only after setting up the Oracle database server. See Chapter 18 “Oracle Authentication (Deprecated)” for more information on setting up the Oracle database server. for Oracle authentication.

To authenticate users stored in an Oracle database, you must configure the HP-UX AAA Server, run the db_srv daemon on each Oracle host machine, and configure one or more Oracle databases with user information according to your requirements. See “Configuring the Oracle Database ” for information on how to configure your Oracle database.

Configuring the HP-UX AAA Server Using Server Manager

For each realm using Oracle authentication, you must specify the Oracle server.

Complete the following steps to configure the HP-UX AAA Server Manager for Oracle authentication:

From the navigation tree, click Local Realms to open the Local Realms screen.
Click the New Realm link to open the Realm Attributes screen.
In the Name field, enter the name of the realm. This name does not have to be a DNS host name. However, HP recommends that the realm name corresponds with the domain name. This way, the user recognizes the user@realm syntax that resembles their e-mail address.
In the User Profile Storage, select Oracle.
When you select Oracle from the User Profile Storage drop-down list, a drop-down list appears in the User Storage Parameters section of the form. This drop-down list allows you to create and modify Oracle configurations for the realm.
In the User Storage Parameters drop-down list, select New Oracle Server, or the name of an existing Oracle server.
Complete the Oracle Server screen (shown in Figure 8-5 “New Oracle Server Screen”) that appears by specifying the host name or IP address of the Oracle server ( db_srv daemon), followed by the port number that it uses.
Figure 8-5 New Oracle Server Screen
You can list an unlimited number of Oracle servers. However, in this context, you must use the appropriate number of servers based on the number of requests received, and machine performance. Each listed server must have a unique DNS name and port.
Repeat steps 6 and 7 for each redundant directory you wish to use.
NOTE: AAA authentication automatically performs load balancing and failover in a round robin fashion across all servers listed for a realm. You cannot configure the functioning of these features.
On the Oracle Server screen, click Save.
Complete any of the remaining optional fields as necessary for your configuration.
Click Create.
Repeat these steps as necessary for your configuration.
From the navigation tree, click Save Configuration.
CAUTION: Clicking Save saves the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.

To Configure and Run the db_srv Daemon

The db_srv daemon is the client that interfaces with the Oracle database and the HP-UX AAA servers. You must run a daemon for each Oracle database you wish to access (but only one db_srv for all AAA connections, since db_srv will fork a child process for each HP-UX AAA Server). The HP-UX AAA Server automatically performs load balancing and failover across multiple databases.

You should run the daemon by executing the /opt/aaa/bin/start_db_srv.sh script. Before running the script, you must edit the script's configuration file, /etc/opt/aaa/db_srv.opt, as follows:

#! /bin/sh
 
#########################################################
# WARNING:
# For security purposes, this file should be readable,
# writable and executable only by the aaa owner
# or group aaa  (Permission 660)
#########################################################
 
#########################################################
# You will need to set the following Oracle environment
# variables according to your Oracle configuration.
#########################################################
ORACLE_HOME=<Oracle Home direcotry>
SHLIB_PATH=$SHLIB_PATH:$ORACLE_HOME/lib
 
DB_SRV_PORT=<db_srv port number>
DB_SRV_ORA_UID=<Oracle username>
DB_SRV_ORA_PWD=<Oracle password>
DB_SRV_ORA_SID=<Oracle SID>
export DB_SRV_PORT DB_SRV_ORA_UID DB_SRV_ORA_PWD DB_SRV_ORA_SID 
export ORACLE_HOME SHLIB_PATH

DB_SRV_PORT=port: Port number that db_srv scans for incoming authentication requests from the remote HP-UX AAA Server. Any available port number can be used. However, typically port numbers greater than 4000 are used, since port numbers for standard services are usually less than 4000. If multiple db_srv daemons are running on the same machine, each daemon must be listening to a different port.
DB_SRV_ORA_UID=userid: Oracle user name used to access the database.
DB_SRV_ORA_PWD=password: Oracle password used to access the database.
DB_SRV_ORA_SID=dbid: Oracle ID for the database to connect to when more than one database exists on the machine. If the parameter is omitted, the daemon connects to the default database, which is defined during database installation.
ORACLE_HOME=path: Directory where Oracle database was installed.

To enable debug logging for troubleshooting purposes, in /opt/aaa/bin/start_db_srv.sh, modify the line:

/opt/aaa/bin/db_srv
to
/opt/aaa/bin/db_srv -x




	CAUTION: The configuration script `/etc/opt/aaa/db_srv.opt` contains information that can be used to gain access to the Oracle database. Read access rights must therefore be limited.

Scripts to Start and Stop the HP-UX AAA Server Oracle Daemon

There are two scripts provided to stop and start the HP-UX AAA Server Oracle client daemon. Before executing start_db_srv.sh, the environment variables in the configuration script /etc/opt/aaa/db_srv.opt need to be edited.

/opt/aaa/bin/start_db_srv.sh [-f clscript]

/opt/aaa/bin/stop_db_srv.sh [-p pid]

Table 8-4 Options

Option	Description
`-f` clscript	File that defines the Oracle user and database identity for `db_srv`. If omitted, the default file is `/etc/opt/aaa/db_srv.opt`
`-p` pid	Specifies a specific `db_srv` process to terminate. If omitted, all `db_srv` processes are selected.




	NOTE: If `db_srv.opt` is not installed in the default location, you can use a `-f` path command line option when running the `start_db_srv.sh` script, where path is the location of the configuration file.

Configuring a SecurID Realm

For each realm using SecurID, you must associate the realm name with the ACE/Server that will perform the authentication.

To create a SecurID realm with Server Manager, complete the following steps:

From the navigation tree, click Local Realms.
In the Local Realms screen that appears, click the New Local Realm link. The Realm Attributes screen appears.
In the Name field, enter the name of the realm to map to the defined SecurID location.
From the Realm Type drop-down list, select Authentication.
From the User Storage Parameters field, select SecurID/ACE server.
The Password Authentication option is preselected because only PAP authentication is supported with the SecurID authentication type.
Complete any of the remaining optional fields as necessary for your configuration.
Click Create.
Repeat these steps as many times as necessary for your configuration.
From the navigation tree, click Save Configuration.




	CAUTION: Save Configuration will save the entire server configuration (access devices, proxies, local realms, users, and server properties) to the servers you specify.