LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Installing LDAP-UX Client Services
Configuring LDAP-UX Client Services
Chapter 2 45
NOTE The sample file reflects the recommendation to keep the root user in
/etc/passwd local on each client machine, and to allow for local
account management of the root user. This guarantees local access to
the system in case the network is down.
Step 4: Configure the Name Service Switch (NSS)
The Name Service Switch (NSS) needs to be modified to retrieve your
account and group information from Active Directory.
Save a copy of the file /etc/nsswitch.conf and edit the original to
specify the ldap name service and other name services you want to use.
Refer to /etc/nsswitch.ldap for an example. You may be able to just
copy /etc/nsswitch.ldap to/etc/nsswitch.conf. Refer to
nsswitch.conf(4) for more information.
Step 5: Configure the PAM Authorization Service
Module (pam_authz)
This step is optional. You do this step only if you want to use pam_authz
to control access rules defined in the policy file,
/etc/opt/ldapux/pam_authz.policy. LDAP-UX Client Services
provides a sample policy file,
/etc/opt/ldapux/pam_authz.policy.template. This sample file
shows you how to configure the policy file to work with pam_authz. You
can copy this sample file and edit it using the correct syntax to specify
the access rules you wish to authorize or exclude from authorization. For
more detailed information on how to configure the policy file. see
“PAM_AUTHZ Login Authorization Enhancement” on page 96.
Step 6: Configure the Disable Login Flag
Save a copy of the file /etc/opt/ldapux/dapux_client.conf and edit
the original to activate the disable_uid_range flag. Uncomment the
flag in the [NSS] portion of the file and fill in the UID range. The format
is disable_uid_range=uid#,[uid#-uid#], ....
For example: disable_uid_range=0-100,300-450,89