LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

111

112

113

114

115

116

117

118

119

120

Administering LDAP-UX Client Services

Integrating with Trusted Mode

Chapter 4106

system for the ﬁrst time, auditing for that account is immediately

enabled or disabled. This ﬂag is deﬁned as the

initial_ts_auditing parameter in the

/etc/opt/ldapux/ldapux_client.conf ﬁle.

• You must manage Trusted Mode attributes for all accounts on each

host. Trusted Mode attributes for LDAP-based accounts are not

stored in the LDAP directory server. For example, enabling auditing

for an account on host A does not enable auditing on host B.

• Audit IDs for LDAP-based accounts are unique on each system.

Audit IDs are not synchronized across hosts running in the Trusted

Mode.

• When an LDAP-based account name is changed, a new audit ID is

generated on each host that the account is newly used on. The initial

auditing ﬂag is reset to the default value deﬁned in the

/etc/opt/ldapux/ldapux_client.conf ﬁle.

• When an account is deleted from LDAP, the audit information for

that account is not removed from the local system. If that account is

re-used, the audit information from the previous account is re-used.

You can choose to manually remove entries from the Trusted Mode

database by removing the appropriate ﬁle under the

/tcb/ﬁles/auth/... directory, where "..." deﬁnes the directory name

based on the ﬁrst character of the account name.

• You can use the audisp command to display information about

LDAP-based accounts. However, if an LDAP-based account has never

logged in to the system (via telnet, rlogin, and so on), the audisp -u

<username> command displays the message like “audisp: all

specified users names are invalid."

Password and Account Policies

The primary goal of integrating Trusted Mode policies and those policies

enforced by an LDAP server is coexistence. This means that Trusted

Mode policies are not enforced on LDAP-based accounts, and LDAP

server policies are not enforced on local-based accounts. The password

and account policies and limitations are described as followings:

• Accounts stored and authenticated through the LDAP directory

adhere to the security policies of the directory server being used.

These policies are speciﬁc to the brand and version of the directory

server product deloyed. Examples of these policies include password