Manualshelf

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
101102103104105106107108109110
Table Of Contents
Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not
synchronized across hosts running in the Trusted Mode.
When an LDAP-based account name is changed, a new audit ID is generated on each host
that the account is newly used on. The initial_ts_auditing flag defined in the
/etc/opt/ldapux/ldapux_client.conf file will be reset to the default value.
When an account is deleted from LDAP, the audit information for that account is not removed
from the local system. If that account is re-used, the audit information from the previous
account will be re-used. You can choose to manually remove entries from the Trusted Mode
database by removing the appropriate file under the /tcb/files/auth/... directory, where "..."
defines the directory name based on the first character of the account name.
You can use the audisp command to display information about LDAP-based accounts.
However, if an LDAP-based account has never logged in to the system (via telnet, rlogin,
and so on), the audisp -u <username> command will display the message like "audisp:
all specified users names are invalid."
Password and Account Policies
The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP
server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based
accounts, and LDAP server policies are not enforced on local-based accounts. The password and
account policies and limitations are described as followings:
Accounts stored and authenticated through the LDAP server adhere to the security policies
of the directory server being used. These policies are specific to the brand and version of
the directory server product deloyed. Examples of these policies include password expiration,
password syntax checking, and account expiration. No policies of the HP-UX Trusted Mode
product apply to accounts stored in the LDAP server.
An LDAP-based user logging into a system with an expired password is not allowed to
login, and no error or warning message is given. You can avoid the problem by changing
the password before it expires or by using an alternative method to change the LDAP
password.
When you integrate LDAP-UX on the HP-UX 11i v2 system with the Windows 2000 or 2003
Active Directory Server, if an LDAP-based user attempts to login to the system, but provides
the incorrect password multiple times in a row (the default is three times in a row), Trusted
Mode attempts to lock the account. However, LDAP-based accounts are not impacted by
the Trusted Mode attributes. So, if the user eventually provides the correct password, he or
she can login.
On the HP-UX 11i v1 system, if your LDAP server is the Windows 2000 or 2003 Active
Directory Server, and an LDAP-based user provides the incorrect password multiple times
in a row, the account will be locked. You have to use the /usr/lbin/modprpw -l -k
<username> command to unlock the account before the user can login again.
PAM Configuration File
If you integrate LDAP-UX with the Windows 2000 or 2003 Active Directory Server, you
must define the pam_krb5 library before the pam_unix library in the /etc/pam.conf file for
all services. In addition, you must set the control flag for both pam_krb5 and
pam_unixlibraries to required for Session management. See “Sample /etc/pam.conf
File for HP-UX 11i v1 Trusted Mode (page 271) and “Sample /etc/pam.conf File for HP-UX
11i v2 Trusted Mode” (page 273) for the proper configuration.
Others
The authck -d command removes the /tcb/files/auth/... files created for
LDAP-based accounts. When the LDAP-based account logs into the system again, a
new/tcb/files/auth/... file with new audit ID is recreated. Therfore, it is not
Integrating with Trusted Mode 101