HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

311

312

313

314

315

316

317

318

319

320

NOTE:

Autobind allows a client to send a request to the Directory Server without supplying a bind

username and password or using other SASL authentication mechanism. According to the LDAP

standard, if bind information is not given with the request, the server processes the request as

an anonymous bind. To be compliant with the standard, which requires some kind of bind

information, any client that uses autobind should send the request with SASL/EXTERNAL.

For more information on configuring SASL, see Chapter 13 “Managing SASL”.

7.5.2 Configuring autobind

Configuring autobind alone allows anonymous access to the Directory Server. It is possible to

enable mapping Unix users to entries and also to map root to Directory Manager.

1. Run ldapmodify to update the Directory Server configuration.

ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=config

changetype: modify

2. Enable autobind.

replace: nsslapd-ldapiautobind

nsslapd-ldapiautobind: on

3. To map user entries, add four attributes:

• nsslapd-ldapimaptoentries to enable entry mapping

• nsslapd-ldapiuidnumbertype to set the Directory Server attribute to map to the

Unix UID number

• nsslapd-ldapigidnumbertype to set the Directory Server attribute to map to the

Unix group ID number

• nsslapd-ldapientrysearchbase to set the search base to use to find Directory

Server user entries

add: nsslapd-ldapimaptoentries

nsslapd-ldapimaptoentries: on

add: nsslapd-ldapiuidnumbertype

nsslapd-ldapiuidnumbertype: uidNumber

add: nsslapd-ldapigidnumbertype

nsslapd-ldapigidnumbertype: gidNumber

add: nsslapd-ldapientrysearchbase

nsslapd-ldapientrysearchbase: ou=people, dc=example, dc=com

4. To map the root entry to Directory Manager, add the nsslapd-ldapimaprootdn attribute:

add: nsslapd-ldapimaprootdn

nsslapd-ldapimaprootdn: cn=Directory Manager

5. Restart the server to apply the new configuration.

/opt/dirsrv/slapd-instance_name/restart-slapd example

7.6 Using the account policy plug-in for inactivity limits

Some security regulations require that inactive or unused accounts be disabled or removed. This

policy assures that these accounts are not unnecessarily exposed to attack. The account inactivity

policy helps to automate the disabling of such idle accounts.

7.6 Using the account policy plug-in for inactivity limits 315