LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

Figure 2-1 Example Directory Structure

o=hp.com

ou=unix

ou=people ou=groups ou=profiles

user

data

profile1group

data

ou=hosts

host

data

Write your configuration profile DN on the worksheet in Configuration Worksheet (page 183).

• By what method will client systems bind to the directory?

Clients can bind to the directory anonymously. This is the default and is simplest to

administer. If you need to prevent access to your data from anonymous users or your

directory does not support anonymous access, you can use a proxy user. If you configure a

proxy user, you can also configure anonymous access to be attempted in the event the proxy

user fails.

Write your client access method and proxy user DN, if needed, on the worksheet in

Configuration Worksheet (page 183).

• How will you increase the security level of the product to prevent an unwanted user from

logging in to the system via LDAP? What is the procedure to set up increased login security?

The default is to allow all users stored in the LDAP directory to login. To disallow specific

users to login to a local system, you will have to configure the disable_uid_range flag in

/etc/opt/ldapux/ldapux_client.conf file. There are two sections in this file, the [profile] section

and the [NSS] section. HP recommends that you do not edit the [profile] section. The [NSS]

section contains the disable_uid_range flag along with two logging flags. For example, the

flag might look like this: disable_uid_range=0-100, 300-450, 89.

Another common example would be to disable root access This flag would look like this:

disable_uid_range=0.

When the disable_uid_range is turned on, the disabled uid will not be displayed when you

run commands such as pwget, listusers, logins, etc.

NOTE: The passwd command may still allow you to change a password for a disabled

user when alternative authentication methods, such as PAM Kerberos, are used since LDAP

does not control these subsystems.

• What PAM authentication will you use? How will you set up /etc/pam.conf? What other

authentication do you want to use & in what order?

PAM is the Pluggable Authentication Module, providing authentication services. You can

configure PAM to use ldap, Kerberos, or other traditional UNIX locations (for example files,

NIS, NIS+) as controlled by NSS. See pam(3), pam.conf(4), and Managing Systems and Workgroups

at http://docs.hp.com/hpux/os for more information on PAM.

It is recommended you use HP-UX file-based authentication first, followed by LDAP or

other authentication. /etc/pam.ldap is an example of this configuration. With this

configuration, PAM uses traditional authentication first, searching /etc/passwd when any

user logs in, then attempts to authenticate to the directory if the user is not in /etc/passwd.

If you have a few users in /etc/passwd, in particular the root user, and if the directory is

unavailable, you can still log in to the client as a user in /etc/passwd.

Plan Your Installation 25