Share AD/LDAP/Linux Credential with App SSO

Idea ID 2813229

Share AD/LDAP/Linux Credential with App SSO

Nowaday, and in the most scenario, network/security devices have both GUI and CLI. Especially firewalls and ADC products, GUI (WebUI or Client App) is the primary way to operate these devices. In order to onboard the GUI access to NETIQ PAM for recording, we need App SSO. But in NETIQ PAM implementation, there is 2 different credentials for:

  • CLI (Linux/Unix/AD/Ldap). 
  • GUI (SSO)

It's good practise to have 2 separate privilege ID for CLI and GUI, but in most cases, customer only maintain 1 to be used for both CLI and GUI. In either cases, I'm seeing the shortcoming of App SSO:

  • 2 separate ID - We can utilize the script the change the CLI/SSH password, but there is no way to perform password management for App SSO's credential. You have to manually update both PAM and the Application password manually. That defeat the purpose of onboarding those account to PAM.
  • single ID - You don't have the option to select non App SSO (like CLI/SSH) credential when defining the rules. If that is supported, then we can utilize the AD/Linux/Unix password, and also reduce the overhead of maintaining another set of credential for SSO.

By the way, can we have clone feature for the scripts? I wish i can clone and edit the default script to suite my need. I'm not a programer!

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.