Manualshelf

LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
LDAP-based accounts. So, if the user eventually provides the correct password, he or she
can login.
5.2.2.3 PAM Configuration File
If you integrate LDAP-UX Client Services with the Netscape/Red Hat Directory Server, you
must define the pam_ldaplibrary before the pam_unix library in the /etc/pam.conf file for
all services. You must set the control flag for both pam_ldap and pam_unit libraries to
required under session management. Refer to Sample /etc/pam.ldap.trusted file (page 247)
for the proper configuration.
If you integrate LDAP-UX Client Services with the Windows 2000/2003 Active Directory
Server, you must define the pam_krb5 library before the pam_unix library in the /etc/pam.conf
file for all services. In addition, the control flag for both pam_krb5 and pam_unixlibraries
must be set to required for Session management. Refer to Appendix F and Appendix G
on LDAP-UX Client Services B.04.10 With Microsoft Windows Active Directory Administrator's
Guide for the proper configuration.
5.2.2.4 Others
The authck -d command removes the /tcb/files/auth/... files created for
LDAP-based accounts. When the LDAP-based account logs into the system again, a
new/tcb/files/auth/... file with new audit ID is recreated. Therfore, it is not
recommended to run the authck -d command when you configure LDAP-UX with Trusted
Mode.
You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based
accounts.
The LDAP repository and /etc/passwd repository must not contain accounts with the same
login name or account number.
Except for the audit flag, you cannot modify other Trusted Mode properties/policies for
LDAP-based accounts. For example, attempting to lock an LDAP-based account by modifying
the Trusted Mode field for that user does not prevent that account from logging in to the
host. Instead, you must disable the account on the LDAP server itself. No runtime warning
will be given that the local locking of the account has no effect. It is important that all system
administrators are properly trained, so that administrative locks on accounts have the desired
effect.
5.2.3 Configuration Parameter
LDAP-UX Client Services provides one configuration parameter, initial_ts_auditing,
available for you to configure the initial auditing setting for the LDAP-based account. This
parameter is defined in the /etc/opt/ldapux/ldapux_client.conf file.
5.2 Integrating with Trusted Mode 93