LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

# value should be at least twice as large as the combined size of all those

# groups.

#longterm_cache_size=50000000

# Should long term caching support enumeration of users and groups. If

# getpwent() and getgrent() are not required, this can be disabled.

#longterm_enum_enable=no

# How frequently should the HP-UX client go to the directory server to refresh

# the enumeration cache. 84600 = once per day.

#longterm_enum_search_interval=86400

As shown, offline credential caching is disabled by default. To enable offline credential caching,

uncomment the first line of the section (remove the pound sign (#)) and specify yes instead of

no as shown:

[longterm_cache]

enable=yes

Configure the other parameters as noted in the comments included with the configuration file.

To keep the default settings, you can leave the lines as they are (without removing the pound

signs that precede each line that defines a parameter).

NOTE: Offline credential caching is not supported for Windows ADS users.

Offline credential caching and integrated compat mode cannot be used together. Compat mode

is discussed in Section 2.5.5 (page 104).

2.5.5 Enabling integrated Compat Mode to control name services and user logins

LDAP-UX version 5.0 and higher makes available traditional NIS-style Compat (Compatibility)

Mode to control the name services that are used to obtain user and group information.

2.5.5.1 Overview

A legacy feature of NIS (the Network Information Service) is the ability to allow local control of

network-defined passwd entries. Administrators of NIS clients can select which accounts would

be available on the local host by specifying lists of netgroups in the host’s /etc/passwd file.

For additional details, see Appendix C of the Network Information Service (NIS) Administrator's

Guide . The following example shows how an administrator might limit logins on the local host

to members of the operator and webadmin groups. Within the /etc/passwd file, the

following entries would be added:

...

+@operator::::::

+@webadmin::::::

...

While this feature was typically used to control which groups of users could log in to a particular

host, it also could be used to obscure or override fields of a user’s passwd entry. For example,

an administrator could force a particular group of users to use a specific login shell by inserting

the desired path to the desired login shell in the 7th field of the entry (the login shell is positionally

defined as the 7th field in each entry in the /etc/passwd file.):

...

+@icsuteam::::::/usr/local/bin/supportapp

...

+:x

In the previous example, any user that is a member of the icsuteam will be forced to run the

supportapp upon login to the system, regardless of how their personal login shell is defined

in the NIS passwd map. The +:x as the last line of the /etc/passwd file indicates that all

remaining accounts managed in the NIS passwd map will be visible on the system, but their

passwords will be masked with an x, which traditionally would prevent login.

104 Installing and configuring LDAP-UX Client Services