Manualshelf

LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
Administering LDAP-UX Client Services
Integrating with Trusted Mode
Chapter 4 87
For LDAP-based accounts that are not yet known to the system, you
can configure an initial setting for the auditing flag. You can
configure this flag such that when an account becomes known to the
system for the first time, auditing for that account is immediately
enabled or disabled. This flag is defined as the
initial_ts_auditing parameter in the
/etc/opt/ldapux/ldapux_client.conf file.
You must manage Trusted Mode attributes for all accounts on each
host. Trusted Mode attributes for LDAP-based accounts are not
stored in the LDAP directory server. For example, enabling auditing
for an account on host A does not enable auditing on host B.
Audit IDs for LDAP-based accounts are unique on each system.
Audit IDs are not synchronized across hosts running in the Trusted
Mode.
When an LDAP-based account name is changed, a new audit ID is
generated on each host that the account is newly used on. The initial
auditing flag defined in the /etc/opt/ldapux/ldapux_client.conf file
will be reset to the default value.
When an account is deleted from LDAP, the audit information for
that account is not removed from the local system. If that account is
re-used, the audit information from the previous account will be
re-used. You can choose to manually remove entries from the Trusted
Mode database by removing the appropriate file under the
/tcb/files/auth/... directory, where "..." defines the directory name
based on the first character of the account name.
You can use the audisp command to display information about
LDAP-based accounts. However, if an LDAP-based account has never
logged in to the system (via telnet, rlogin, and so on), the audisp
-u <username> command will display the message like “audisp:
all specified users names are invalid."
Password and Account Policies
The primary goal of integrating Trusted Mode policies and those policies
enforced by an LDAP server is coexistence. This means that Trusted
Mode policies are not enforced on LDAP-based accounts, and LDAP
server policies are not enforced on local-based accounts. The password
and account policies and limitations are described as followings: