LDAP-UX Client Services B.04.15 Administrator's Guide
The coexistence of LDAP-UX and Trusted Mode supports certain security features, but also has
limitations and usage requirements that you need to be aware of. For detailed information, see
Features and Limitations (page 92).
5.2.2 Features and Limitations
This subsection describes features and limitations of integrating LDAP-UX with Trusted Mode.
5.2.2.1 Auditing
Integrating LDAP-UX with Trusted Mode enables accounts stored in the LDAP directory to login
to a local host and to be audited on the Trusted Mode. The following describes the auditing
features and limitations. To use these security features, you must enable the audit subsystem on
the Trusted Mode local host:
• Auditing of both LDAP-based and local-based (/etc/passwd) accounts is possible. By default,
auditing is disabled for all LDAP-based accounts. However, you can use the audusr (option
-a or -d) command to alter the auditing flag for individual LDAP-based account.
• For LDAP-based accounts that are not yet known to the system, you can configure an initial
setting for the auditing flag. You can configure this flag such that when an account becomes
known to the system for the first time, auditing for that account is immediately enabled or
disabled. This flag is defined as the initial_ts_auditing parameter in the
/etc/opt/ldapux/ldapux_client.conf file.
• You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode
attributes for LDAP-based accounts are not stored in the LDAP directory server. For example,
enabling auditing for an account on host A does not enable auditing on host B.
• Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not
synchronized across hosts running in the Trusted Mode.
• When an LDAP-based account name is changed, a new audit ID is generated on each host
that the account is newly used on. The initial_ts_auditing flag is reset to the default
value defined in the /etc/opt/ldapux/ldapux_client.conf file.
• When an account is deleted from LDAP, the audit information for that account is not removed
from the local system. If that account is re-used, the audit information from the previous
account is re-used. You can choose to manually remove entries from the Trusted Mode
database by removing the appropriate file under the /tcb/files/auth/... directory, where "..."
defines the directory name based on the first character of the account name.
• You can use the audisp command to display information about LDAP-based accounts.
However, if an LDAP-based account has never logged in to the system (via telnet, rlogin,
and so on), the audisp -u <username> command displays the message like "audisp:
all specified users names are invalid."
5.2.2.2 Password and Account Policies
The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP
server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based
accounts, and LDAP server policies are not enforced on local-based accounts. The password and
account policies and limitations are described as followings:
• Accounts stored and authenticated through the LDAP directory adhere to the security
policies of the directory server being used. These policies are specific to the brand and version
of the directory server product deloyed. Examples of these policies include password
expiration, password syntax checking, and account expiration. No policies of the HP-UX
Trusted Mode product apply to accounts stored in the LDAP server.
• When you integrate LDAP-UX on an HP-UX 11i v1 or 11i v2 system with the Netscape/Red
Hat Directory Server, if an LDAP-based user attempts to login to the system, but provides
the incorrect password multiple times in a row (the default is three times in a row), Trusted
Mode attempts to lock the account. However, the Trusted Mode attributes do not impact
92 Administering LDAP-UX Client Services