Manualshelf

LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
21222324252627282930
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
Chapter 216
How will you increase the security level of the product to prevent an
unwanted user from logging in to the system via LDAP? What is the
procedure to set up increased login security?
The default is to allow all users stored in the LDAP directory to
login. To disallow specific users to login to a local system, you will
have to configure the disable_uid_range flag in
/etc/opt/ldapux/ldapux_client.conf file. There are two sections in this
file, the [profile] section and the [NSS] section. HP recommends that
you do not edit the [profile] section. The [NSS] section contains the
disable_uid_range flag along with two logging flags. For example, the
flag might look like this: disable_uid_range=0-100, 300-450, 89.
Another common example would be to disable root access This flag
would look like this: disable_uid_range=0.
When the disable_uid_range is turned on, the disabled uid will not
be displayed when you run commands such as pwget, listusers,
logins, etc.
NOTE The passwd command may still allow you to change a password for a
disabled user when alternative authentication methods, such as
PAM Kerberos, are used since LDAP does not control these
subsystems.
What PAM authentication will you use? How will you set up
/etc/pam.conf? What other authentication do you want to use & in
what order?
PAM is the Pluggable Authentication Module, providing
authentication services. You can configure PAM to use ldap,
Kerberos, or other traditional UNIX locations (for example files, NIS,
NIS+) as controlled by NSS. See pam(3), pam.conf(4), and Managing
Systems and Workgroups at http://docs.hp.com/hpux/os for more
information on PAM.
It is recommended you use HP-UX file-based authentication first,
followed by LDAP or other authentication. /etc/pam.ldap is an
example of this configuration. With this configuration, PAM uses
traditional authentication first, searching /etc/passwd when any user
logs in, then attempts to authenticate to the directory if the user is