Manualshelf

LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
Chapter 2 19
See /etc/nsswitch.ldap for an example nsswitch.conf file using files
and ldap. See switch(4) and “Configuring the Name Service Switch”
in Installing and Administering NFS Services at http://docs.hp.com
for more information.
It is recommended you use files first, followed by LDAP for passwd,
group and other supported name services. With this configuration,
NSS will first check files, then check the directory if the name service
data is not in the respective files. /etc/nsswitch.ldap is an example of
this configuration.
Do you need to configure login authorization for a subset of users
from a large repository such as an LDAP directory? How will you set
up the /etc/opt/ldapux/pam_authz.policy and /etc/pam.conf
files to implement this feature?
The pam_authz service module for PAM provides functionality that
allows the administrator to control who can login to the system.
These modules are located at /usr/lib/security/libpam_authz.1 on the
HP 9000 machine and at libpam_authz.so.1 on the Integrity (ia64)
machine. pam_authz has been created to provide access control
similar to the netgroup filtering feature that is performed by NIS.
These modules are located at /usr/lib/security/libpam_authz.1 on the
HP 9000 machine (libpam_authz.so.1 on the Integrity (ia64)
machine). Starting with LDAP-UX Client Services B.04.00,
pam_authz has been enhanced to allow system administrators to
configure and customize their local access rules in a local policy file,
/etc/opt/ldapux/pam_authz.policy. pam_authz uses these
access control rules defined in the
/etc/opt/ldapux/pam_authz.policy file to control the login
authorization. pam_authz is intended to be used when NIS is not
used, such as when the pam_ldap or pam_kerberos authentication
modules are used. Because pam_authz doesn’t provide
authentication, it doesn’t verify if a user account exists.
Starting with LDAP-UX Client Services B.04.00, if the
/etc/opt/ldapux/pam_authz.policy file does not exist in the
system, pam_authz provides access control based on the netgroup
information found in the /etc/passwd and /etc/netgroup files. If
the /etc/opt/ldapux/pam_authz.policy file exists in the system,
pam_authz uses the access rules defined in the policy file to
determine who can login to the system.