FAQ
|
Frequently Asked Questions (FAQ)
|
What is PowerPassword User Management Edition
(PPUME)?
PowerPassword-User Management Edition is a product
that provides these security and administrative
benefit to enterprises:
Centralized
account deployment to any host
Automatic
UID/GID synchronization
Password
security policies
Password
synchronization
Detailed
reports for all login and account events to
ensure regulatory compliance
How does PPUME create and deploy accounts?
Accounts are created and deployed using Templates
describing the account to be created, the host
(or hosts) which will accept the account, and
additional post-processing definitions (if any).
How does PPUME provide automatic UID/GID synchronization?
PPUME stores the highest user-id and group-id
currently deployed in the enterprise, and creates
all additional accounts above the existing entries,
using identical UID/GIDs. This keeps all accounts
(and subsequently created files) synchronized
across all systems.
Can a particular host (or hosts) override a
deployment request?
Yes. In addition to account templates, host
templates can be created which will override
attempted deployments if desired.
Can PPUME add web server, database, or other
application accounts after an account has been
created for a user?
Yes. PPUME allows the deployed account template
to include post-processing, which can add the
created account to web server, RDBMS, or other
applications.
Can PPUME delete accounts from one, some, or
all systems?
Yes. PPUME can delete the user, and group entries
for previously deployed accounts. Additional
post-processing capability could provide for
removal of additional files, or remove the user
from applications automatically.
Does PPUME provide notification if a deployment
fails on any requested system?
Yes. PPUME provides a transaction-checking utility
that displays current deployment status across
the enterprise.
What other reports are available with PPUME?
Audit
Event
Group
Password
security properties
Detailed
reports for all login and account events to
ensure regulatory compliance
There are multiple reports available within
each report class. Additionally, PPUME provides
detailed login reports for all logins attempted
to PPUME systems. These reports include extensive
information regarding the login attempt, including
“who, what, when, and where”
How does PPUME “keep track” of accounts and
groups?
PPUME uses a database of deployment information,
which can be accessed via the ppreport utility.
Does PPUME provide any Division of Privilege
to keep any administrator from adding, changing,
or deleting accounts on systems they do not
manage?
PPUME uses a database of deployment information,
which can be accessed via the ppreport utility.
How large is a PPUME audit log?
Using the previous example (adding 500 groups
and users), the audit consumes ~450k, which
can be archived or purged.
Is the PPUME database required on all UME-enabled
systems?
No. The PPUME database is needed only on the
master.
Does PPUME provide for a “reserved UID/GID”
for later deployment?
Yes. A user account can be created in PPUME's
database only for later deployment. In this
manner, an account can be created with a “reserved
UID/GID.” When this account is deployed at a
future time, the reserved UID/GID can be put
to use then.
Can PPUME recover user accounts that were removed
from a host?
Yes. A user account can be “re-deployed” to
any host so long as the user account exists
in PPUME's database. A user account that is
purged from PPUME's database cannot be recovered.
Does PPUME log user management requests that
change the UNIX/Linux local database files?
Does PPUME log user management requests that
change the UNIX/Linux local database files?
Can PPUME create user accounts in an LDAP server?
Yes. PPUME can treat an LDAP server as a PPUME
slave that will receive user deployment messages.
Through the use of post-processing scripts,
a user account can be deployed to an LDAP server's
database and optionally removed from this server's
local UNIX/Linux database files.
Can PPUME export user information to other databases?
Yes. PPUME can generate “comma-separated-value”
records to “csv” files that can then be imported
to other database systems. This can also be
used to export user information to other applications
that can process “csv” files such as spreadsheets
Can enterprises migrate from NIS, NIS+, or LDAP
to PPUME?
Yes. PPUME provides a migration toolkit, enabling
enterprises to import accounts and groups into
PPUME.
How large is the PPUME installation?
The installation files are between 18-35 MB
compressed. After installation, approximately
30-90 MB of space is used. Additional space
is required for the database and event log files.
What is a PPUME Master?
A PPUME master holds the master password policy,
login policy, import policy, as well as the
master databases used by PPUME. Central logging
also occurs to the PPUME master.
What is the purpose of the PPUME Slaves?
If the PPUME master is down, the slave(s) provide
redundancy to ensure that user logins can proceed.
The slave also functions to load balance authentication
requests. A slave server is also required on
client machines for password propagation.
Is there a PPUME client?
The client part of PPUME refers to the PPUME-enabled
system supporting a login request. There should
not be a “client-only” system, as it would not
provide fault tolerance or load balancing capability.
Is there a PPUME “client-only” installation?
While it is possible to install only the client
software for logging into a PPUME master or
slave, a client-only configuration provides
significantly less functionality, and is identical
in cost. The PPUME slave configuration requires
only a few extra kilobytes, but adds significant
functionality.
What happens if the PPUME Master is down?
No password updates, database updates, or propagation
of database changes or policies can occur on
slaves residing beneath a master that is down.
PPUME slaves ensure that logins can proceed.
Logins using PPUME will authenticate using the
last updated copy of the database and login.policy.
Also, ppadmin requests to update the PPUME password
database are disabled when the master is down.
Does PPUME support SSH logins?
Yes. PPUME currently supports logins from SSH.
SSH Version 3.2 from SSH Communications is required.
OpenSSH 3.4p1 and 3.5p1 through 3.7.1p2 can
be modified to interface with PPUME. See Technical
Bulletin pp022.
Is PPUME compatible with Kerberos?
PPUME does not directly use Kerberos' ticket
granting mechanism. Kerberos can be running
on the machine but PPUME will not be using its
facilities. However, since SSH can work with
both Kerberos and PPUME, a secure solution is
readily available by using SSH.
Does PPUME work with PAM?
PPUME is now PAM-aware. This includes login,
rlogin, rsh and rexec. Other applications that
use PAM will continue to work normally. Since
SSH works with both PAM and PPUME, a secure
solution is readily available by using SSH.
Can PPUME support environments using NIS for
user management?
Yes. PPUME is configurable, and can provide
the password security, login access, control,
and logging and reporting when UME’s User Account
Management functions are not deployed in lieu
of NIS. However, it is recommended that NIS
environments migrate to full PPUME because UME
is much more secure and provides account creation
and deployment capabilities not available in
NIS.
What about NIS+?
See above. PowerPassword provides equivalent
support for NIS+ environments as NIS environments.
What about LDAP?
PPUME supports environments using LDAP for authentication.
Using PPUME with User Account Management disabled,
enterprises can still add security using centralized
login access policies.
Does PPUME support referencing systems by the
network they reside on?
Yes. IP addresses can be used in place of machine
or domain names for many configuration settings.
The login policy can make use of remote IP addresses
for ssh, rsh, and rexec login access.
Does PPUME protect data in transmission across
network?
All internal PPUME network communications between
PPUME machines can be encrypted
How does PPUME's password propagation work?
When a password is changed, the client first
updates its own local password files and/or
NIS. Then, the PPUME client software forwards
the password change request, through any slaves,
to the top-level master. The master then pushes
the password changes back down to all of the
other slaves in the domain. Each slave does
a lookup in its local password files and updates
the user's password. If a slave is down, the
change request is stored on its master until
the slave connects to its master again. Password
propagation only applies to the hosts that have
the same username in its local password database.
How does PPUME display events/actions that have
taken place?
Detected errors or unusual conditions are logged
via syslog and to a 'ppclient.log' (for clients)
and 'ppserv.log' (for servers) file. The location
and use of these mechanisms is configurable.
PPUME also records an 'eventlog' on the master
which records login attempts and rejects. This
eventlog can be processed with a supplied utility
(pplog), which outputs plain text to standard
output. This output can be further processed
or printed as desired. Also, some events can
generate SMTP (i.e. Email) messages. These messages
are sent as the event occurs.
Which system binaries will be replaced or modified?
/bin/login will be replaced by /bin/pplogin.
Whenever PPUME has to replace existing system
files, it creates a directory called ORIG in
the directory where the file to be replaced
exists, and then moves the original version
of the file to the ORIG directory before replacing
it with the PPUME version. A few Unix files
are modified; /etc/inittab, /etc/inetd.conf
(or /etc/xinetd.conf), and some xdm/cde files.
For more information, see Technical Bulletin
pp002.
(A list of error codes is available in the
PowerPassword
documentation set.)
