LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Installing LDAP-UX Client Services
Planning Your Installation
Chapter 2 21
access control rules defined in the local policy file to control the login
authorization. Because pam_authz doesn’t provide authentication, it
doesn’t verify if a user account exists.
If the /etc/opt/ldapux/pam_authz.policy file does not exist in the
system, pam_authz performs access control based on the netgroup
information found in the /etc/passwd and /etc/netgroup files. If
the /etc/opt/ldapux/pam_authz.policy file exists in the system,
pam_authz uses the access rules defined in the policy file to
determine who can login to the system.
For detailed information on this feature and how to configure the
/etc/opt/ldapux/pam_authz.policy file, see “PAM_AUTHZ Login
Authorization Enhancement” on page 96 or the pam_authz(5) man
page.
• How will you increase the security level of the product to prevent an
unwanted user from logging in to the system using LDAP? What is
the procedure to set up increased login security?
The default is to allow all users stored in the LDAP directory to
login. To disallow specific users to login to a local system, you will
have to configure the disable_uid_range flag in
/etc/opt/ldapux/ldapux_client.conf file. There are two sections
in this file, the [profile] section and the [NSS] section. HP
recommends not editing the [profile] section. The [NSS] section
contains the disable_uid_range flag, along with two logging flags.
For example, the flag might look like:
disable_uid_range=0-100, 300-450, 189
Another common example would be to disable root access. This flag
would look like:
disable_uid_range=0
This flag will prevent the users who have UNIX UIDs between 0 to
100, 300 to 450, or 189 from logging in to the local system.
When the disable_uid_range is turned on, the disabled uid will not
be displayed when you run commands such as pwget, listusers,
logins, and so on.