LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

2.13 Download the Profile Periodically

Setup allows you to define a time interval after which the current profile is being automatically

refreshed. The start time for this periodic refresh is defined by the time the setup program was

run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific

time of day when the profile should be downloaded (refreshed). For more detailed information,

refer to the ldapclientd(1) man page.

If you would like to manually control when you want to download the profile, you can use the

following steps:

1. When creating your profile entry using setup, set the ProfileTTL value to 0.

2. Using the command get_profile_entry -s nss, write a shell script that downloads

the profile. Below is an example that downloads the profile from the directory. Modify this

example for your environment. It also compares the new and old profiles and emails a status

message:

#!/bin/ksh cp

/etc/opt/ldapux/ldapux_profile.ldif /etc/opt/ldapux/ldapux_profile.sav

/opt/ldapux/config/get_profile_entry -s nss 2>&1>/tmp/profile.upd$$

diff /etc/opt/ldapux/ldapux_profile.ldif \ /etc/opt/ldapux/ldapux_profile.sav

>> /tmp/profile.upd$$ if [ -s /tmp/profile.upd$$ ]; then cat /tmp/profile.upd$$

| mailx -s "Profile cache refreshed." root@sys01 else echo "No

changes." | mailx -s "Profile cache refreshed." root@sys01 fi rm

-f /etc/opt/ldapux/ldapux_profile.sav rm -f /tmp/profile.upd$$

3. Create a crontab(1) file (or edit your existing crontab file) and specify how frequently you

want the profile to be downloaded. For example, assuming the script above is in the file

/ldapux/download_ldap_profile, the following crontab specification specifies that

/ldapux/download_ldap_profile be executed nightly at midnight:

0 0 * * * /ldapux/download_ldap_profile

4. Log in as root and schedule the job with the crontab(1) command. For example, assuming

the crontab entry above is in the file crontab.profile, the following schedules the profile

downloading:

crontab crontab.profile

2.14 Use r-command for PAM_LDAP

An enhancement has been implemented to the LDAP-UX Client Services B.03.20, so that

r-commands can work with LDAP account users whose password is hidden, or not in clear text

or crypt syntax.

If you want to use this new fearture, use the following steps:

1. Uncomment out the following line in the /etc/opt/ldapux/ldapux_client.conf file:

#password_as = "x"

2. On the HP-UX 11.0 or 11i v1 client system, modify account management session in

/etc/pam.conf file for pam_ldap to add rcommand option as shown below:

# Account management

# login account sufficient /usr/lib/security/libpam_unix.1 login

account required /usr/lib/security/libpam_ldap.1 rcommand su

account sufficient /usr/lib/security/libpam_unix.1 su

account required /usr/lib/security/libpam_ldap.1 dtlogin account

sufficient /usr/lib/security/libpam_unix.1 dtlogin account required

/usr/lib/security/libpam_ldap.1 dtaction account sufficient /usr/lib/security/libpam_unix.1

dtaction account required /usr/lib/security/libpam_ldap.1 ftp

account sufficient /usr/lib/security/libpam_unix.1 ftp

account required /usr/lib/security/libpam_ldap.1 OTHER account

sufficient /usr/lib/security/libpam_unix.1 OTHER account required

/usr/lib/security/libpam_ldap.1 rcommand

On the HP-UX 11i v2 client system, you will modify account management session in