LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)
For the detailed information about AutoFS with LDAP support, see AutoFS Support
(page 56).
• What name services will you use? How will you set up /etc/nsswitch.conf? What order do
you want NSS to try services?
NSS is the Name Service Switch, providing naming services for user names, group names,
and other information. You can configure NSS to use files, ldap, or NIS in any order and
with different parameters. See /etc/nsswitch.ldap for an example nsswitch.conf file using
files and ldap. See switch(4) and "Configuring the Name Service Switch" in Installing and
Administering NFS Services at http://docs.hp.com for more information.
It is recommended you use files first, followed by LDAP for passwd, group and other
supported name services. With this configuration, NSS will first check files, then check the
directory if the name service data is not in the respective files. /etc/nsswitch.ldap is an
example of this configuration.
• Do you need to configure login authorization for a subset of users from a large repository
such as an LDAP directory? How will you set up the
/etc/opt/ldapux/pam_authz.policy and /etc/pam.conf files to implement this
feature?
The pam_authz service module for PAM provides functionality that allows the administrator
to control who can login to the system. These modules are located at
/usr/lib/security/libpam_authz.1 on the HP 9000 machine and at libpam_authz.so.1 on
the Integrity (ia64) machine. pam_authz has been created to provide access control similar
to the netgroup filtering feature that is performed by NIS. These modules are located at
/usr/lib/security/libpam_authz.1 on the HP 9000 machine (libpam_authz.so.1 on the Integrity
(ia64) machine). Starting with LDAP-UX Client Services B.04.00, pam_authz has been
enhanced to allow system administrators to configure and customize their local access rules
in a local policy file, /etc/opt/ldapux/pam_authz.policy. pam_authz uses these
access control rules defined in the local policy file to control the login authorization.
pam_authz is intended to be used when NIS is not used, such as when the pam_ldap or
pam_kerberos authentication modules are used. Because pam_authz doesn't provide
authentication, it doesn't verify if a user account exists.
If the /etc/opt/ldapux/pam_authz.policy file does not exist in the system, pam_authz
provides access control based on the netgroup information found in the /etc/passwd and
/etc/netgroup files. If the /etc/opt/ldapux/pam_authz.policy file exists in the
system, pam_authz uses the access rules defined in the policy file to determine who can
login to the system.
For detailed information on this feature and how to configure the
/etc/opt/ldapux/pam_authz.policy file, see PAM_AUTHZ Login Authorization
(page 98) or the pam_authz(5) man page.
• Do you want to configure the /etc/opt/ldaux/pam_authz.policy to enforce account
and password policies, stored in an LDAP directory server.
LDAP-UX provides pam_authz enhancement to support enforcement of account and
password policies, stored in an LDAP directory server. This feature works in conjunction
with SSH (Secure Shell), r-commands with rhost enabled where authentication is not
performed via the PAM subsystem, but is performed by the command itself.
For detailed information on this feature and how to configure the pam_authz.policy file,
see “Security Policy Enforcement with Secure Shell (SSH) or r-commands” (page 110).
• How will you communicate with your user community about the change to LDAP?
For the most part, your user community should be unaffected by the directory. Most HP-UX
commands will work as always. However, for some LDAP directories (such as Netscape
Directory Server 6.x), data in replica servers cannot be modified. The passwd(1) command
Plan Your Installation 27