LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

b. /etc/opt/ldapux/ldapux_client.conf

Search for "enable_compat_mode". To enable internal compat-mode processing in

ldapclientd, set this value to 1.

NOTE: If LDAP-UX has been configured previously on your host, you will need to examine

the newly delivered configuration files found under /opt/ldapux/newconfig/etc/

opt/ldapux. Compare and merge the existing configuration files with those delivered in

the newconfig subdirectory.

3. Restart ldapclientd. Use the following commands:

# /opt/ldapux/bin/ldapclientd -k

# /opt/ldapux/bin/ldapclientd

4. If you change the netgroup list in the /etc/passwd or /etc/group, and want to force

ldapclientd to reflect the updated configuration, force ldapclientd to rebuild its cache

with the following command:

# /opt/ldapux/bin/ldapclientd -f

2.5.5.3.1 Limitations

When processing netgroup information for compat mode (that is, +@<netgroup>,

-@<netgroup> in /etc/passwd), internal compat-mode processing in ldapclientd always

searches the LDAP directory first for definition of the netgroup entries and then the local /

etc/netgroup file. As a result, if the same network group with different group members is

configured in both /etc/netgroup and the LDAP directory, the members defined in the

netgroup stored in the LDAP directory will be used instead of the entries from the local /etc/

netgroup file.

HP recommends that you do not configure netgroups with the same name in both the /etc/

netgroup file and the LDAP directory.

Also, long-term offline credential caching and integrated compat mode cannot be used together.

Long-term offline credential caching is discussed in Section 2.5.4 (page 102).

2.5.6 Controlling user access to the system through LDAP

By default, all users stored in the LDAP directory are allowed to log in to the local HP-UX client

system. LDAP-UX provides several ways to increase the security level to prevent unwanted

users from logging in to the local system through LDAP, including the following:

• Using the PAM_AUTHZ service module to control login access, as described elsewhere,

inSection 5.3 (page 140)

• Disabling logins to the local system from specified LDAP users by configuring the

disable_uid_range flag in the local client's start-up file (/etc/opt/ldapux/

ldapux_client.conf), as described in Section 2.5.6.1 (page 106)

• Preventing unwarranted access to the local system by users defined in the LDAP directory

server that have equivalent user names or user identification numbers (UIDs) in the local

system /etc/passwd file, as described in Section 2.5.6.2 (page 107)

• Using the ignore option to enable specified users to be ignored by PAM_LDAP authentication,

as described in “Configuring PAM_LDAP authentication to ignore specific users” (page 109).

2.5.6.1 Using the disable_uid_range flag to prevent access to the local system by unwanted users

To disallow specific users to log in to a local system, you can set the disable_uid_range flag

in the local client's start-up file/etc/opt/ldapux/ldapux_client.conf. The flag is in the

[NSS] section of the file. (HP recommends that you do not edit the [profile] section of the file.)

The following example shows the portion of the file containing the flag:

106 Installing and configuring LDAP-UX Client Services