LDAP-UX Client Services B.04.00 Administrator's Guide
Administering LDAP-UX Client Services
Integrating with Trusted Mode
Chapter 4 107
expiration, password syntax checking, and account expiration. No
policies of the HP-UX Trusted Mode product apply to accounts stored
in the LDAP server.
• When you integrate LDAP-UX on an HP-UX 11i v1 or 11i v2 system
with the Netscape Directory Server, if an LDAP-based user attempts
to login to the system, but provides the incorrect password multiple
times in a row (the default is three times in a row), Trusted Mode
attempts to lock the account. However, the Trusted Mode attributes
do not impact LDAP-based accounts. So, if the user eventually
provides the correct password, he or she can login.
PAM Configuration File
• If you integrate LDAP-UX Client Services with the Netscape
Directory Server, you must define the pam_ldap library before the
pam_unix library in the /etc/pam.conf file for all services. You must
set the control flag for both pam_ldap and pam_unit libraries to
required under session management. Refer to Appendix C, “Sample
/etc/pam.ldap.trusted file,” on page 191 for the proper configuration.
• If you integrate LDAP-UX Client Services with the Windows
2000/2003 Active Directory Server, you must define the pam_krb5
library before the pam_unix library in the /etc/pam.conf file for all
services. In addition, the control flag for both pam_krb5 and
pam_unix libraries must be set to required for Session
management. Refer to Appendix F and Appendix G on LDAP-UX
Client Services B.04.00 With Microsoft Windows 2000/2003 Active
Directory Administrator’s Guide for the proper configuration.
Others
• The authck -d command removes the /tcb/files/auth/... files
created for LDAP-based accounts. When the LDAP-based account
logs into the system again, a new /tcb/files/auth/... file with
new audit ID is recreated. Therfore, it is not recommended to run the
authck -d command when you configure LDAP-UX with Trusted
Mode.
• You cannot use the Trusted Mode management subsystem in SAM to
manage LDAP-based accounts.
• The LDAP repository and /etc/passwd repository must not contain
accounts with the same login name or account number.