Manualshelf

LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
Administering LDAP-UX Client Services
Integrating with Trusted Mode
Chapter 488
Accounts stored and authenticated through the LDAP server adhere
to the security policies of the directory server being used. These
policies are specific to the brand and version of the directory server
product deloyed. Examples of these policies include password
expiration, password syntax checking, and account expiration. No
policies of the HP-UX Trusted Mode product apply to accounts stored
in the LDAP server.
An LDAP-based user logging into a system with an expired password
is not allowed to login, and no error or warning message is given. You
can avoid the problem by changing the password before it expires or
by using an alternative method to change the LDAP password.
When you integrate LDAP-UX on the HP-UX 11i v2 system with the
Windows 2000 or 2003 Active Directory Server, if an LDAP-based
user attempts to login to the system, but provides the incorrect
password multiple times in a row (the default is three times in a
row), Trusted Mode attempts to lock the account. However,
LDAP-based accounts are not impacted by the Trusted Mode
attributes. So, if the user eventually provides the correct password,
he or she can login.
On the HP-UX 11i v1 system, if your LDAP server is the Windows
2000 or 2003 Active Directory Server, and an LDAP-based user
provides the incorrect password multiple times in a row, the account
will be locked. You have to use the /usr/lbin/modprpw -l -k
<username> command to unlock the account before the user can
login again.
PAM Configuration File
If you integrate LDAP-UX with the Windows 2000 or 2003 Active
Directory Server, you must define the pam_krb5 library before the
pam_unix library in the /etc/pam.conf file for all services. In
addition, you must set the control flag for both pam_krb5 and
pam_unix libraries to required for Session management. See
Appendix F, “Sample /etc/pam.conf File for HP-UX 11i v1 Trusted
Mode,” on page 185 and Appendix G, “Sample /etc/pam.conf File for
HP-UX 11i v2 Trusted Mode,” on page 189 for the proper
configuration.