EPIC CAPTIVE PORTAL & TEXT-BASED USER AUTHENTICATION VIA ACTIVE DIRECTORY
By Hadeer Aburumuh
While the large majority of Epic users access the system via the Hyperspace client,
there are groups of users that may require text-based access to Epic, or just a simple
method to access multiple Epic environments. These users may be application coordinators,
systems analysts, database administrators, or other specialty job codes that need special access
to the Epic system. The challenge involved is how to make this access simple and to not over
complicate matters with yet another username and password. With that being said, this article
covers the configuration steps necessary to enable these users auto-logon to access the Epic
System in a text-based (or captive portal) mode through the UNIX system via their existing
Microsoft Windows Active Directory (ADS) username and password.
Epic captive logins start out with a regular account in UNIX. Most likely, Epic captive users
are also domain registered users in ADS. Consequently, it is possible to enable and use the same
user id and password in both environments. A simple way to accomplish this task is to setup Pam
(Pluggable Authentication Module) / Kerberos on an HP-UX 11.xx server and authenticate Epic
captive users via ADS. This configuration avoids expanding the AD schema and the complications
that could result.
The following 4 steps explain the process of setting up the user authentication via
ADS and do require knowledge working with Microsoft Active Directory and UNIX systems.
All commands that should be entered into the system are bracketed between “<
>” symbols in the instructions below:
Step 1
Please refer to HP-UX 11.23 Kerberos Client (krb5client) install and patch requirements
when using Windows 2003 ADS
Step 2
Create a test user in ADS and HP-UX. For example: create the user ‘epicuser’
in both systems. There is no need to enable the “prompt user change password on
logon” and “set password to not expire” settings
Step 3
Backup the /etc/krb5.conf file:
<cp /etc/krb5.conf /etc/krb5.conf.mmddyy >
Then modify the krb5.conf file to point to ADS:
Configuring Kerberos /etc/krb5.conf file:
For example: if the Windows domain is “yourdomain.com” (Kerberos Realm) and the ADS is yoursystem.yourdomain.com then /etc/krb5.conf should look like the following:
# Kerberos configuration
#
# see krb5.conf(4) for more details
#
[libdefaults]
default_realm = YOURDOMAIN.COM
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5
ccache_type = 2
[realms]
Yourdomain.com.org = {
kdc = yoursystem.yourdomain.com:88
admin_server = yoursystem.yourdomain.com
}
[domain_realm]
.yourdomain.com = yourdomain.com
#
# End of krb5.conf
To validate Kerberos client libraries and ADS authentication are working, at the UNIX prompt
type:
<etc# kinit epicuser>
system responds “Password for epicuser@yourdomain.com:” enter Kerberos password and
execute
<etc# klist –r –f>
system responds “Ticket cache: /tmp/krb5cc_0, Default principal: epicuser@yourdomain.com
and other information such as valid starting, expires, service principal.”
To delete credential cache, type:
<etc# kdestroy >
Configuring Pam Kerberos, /etc/pam, user.conf and /etc/pam.conf files
To enable telnet to authenticate using Kerberos through PAM (Pluggable Authentication Module),
and to permit the user root to bypass Kerberos and ADS authentication:
Backup /etc/pam_user.conf file
<cp /etc/pam_user.conf /etc/pam_user.conf.mm.dd.yy>
add the following 2 lines to /etc/pam_user.conf
<root auth libpam_krb5.so.1 ignore>
<root password libpam_krb5.so.1 ignore>
Backup /etc/pam.conf and /etc/pam.krb5 files
<cp /etc/pam.conf /etc/pam.conf.mmddyy>
<cp /etc/pam.krb5 /etc/pam.krb5.mmddyy>
The purpose of the /etc/pam.krb5 file is to be used as a template for /etc/pam.conf
file. Edit the /etc/pam.krb5 file to bypass Kerberos authentication for the
“root” user by adding the “required” module
“libpam_updbe” lines before the “libpam.krb5” lines for
all “auth” and “password” services. The libpam.updbe forces
changes to take effect based on “pam_user.conf” entries.
Sample of /etc/pam.conf before change:
login auth required libpam_hpsec.so.1
login auth required libpam_unix.so.1
…………
…………
Sample of /etc/pam.conf after change:
login auth required libpam_hpsec.so.1
login auth required libpam_updbe.so.1
login auth sufficient libpam_krb5.so.1
After the HP-UX host and ADS authentication has been validated, backup /etc/passwd
file and add Epic users to /etc/passwd (put “X” in the password field), add
users to the epicuser group in /etc/groups file, create home directories for new users
in /home and modify user home for proper credentials accordingly.
Modify one user .profile to include the execution of the EpicMenu command for
Captive user (supplied by Epic), then copy the modified .profile to the remaining home
directories using a shell script.
Finally, please ensure that all users have ADS accounts and provide them with
shortcuts to access the system in this manner.