LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

# You can disable specific users so that they are unable to log in

# through the LDAP server by uncommenting the "disable_uid_range"

# flag and adding the UID numbers you want to disable. For example:

# disable_uid_range=0-100,120,300-400

# Note: The list of UID numbers must be on one line and the maximum

# number of ranges is 20. The system will ignore the typos and white spaces.

#disable_uid_range=0

To enable and configure the flag, first save a copy of the /etc/opt/ldapux/

ldapux_client.conf file and edit the original. Then uncomment the flag (remove the #) and

enter the UID range(s). For example, the flag might look like this:

disable_uid_range=0-100, 300-450, 89

Another common example would be to disable root access, in which case the flag would look

like this: disable_uid_range=0.

NOTE:

• White spaces between numbers are ignored.

• Only one line of the list is accepted; however, the line can be wrapped.

• The maximum number of ranges is 20.

When the disable_uid_range is turned on, the disabled UIDs will not be displayed when

you run commands such as pwget, listusers, and logins.

NOTE: The passwd command may still allow you to change a password for a disabled user

when alternative authentication methods, such as PAM Kerberos, are used since LDAP does not

control these subsystems.

2.5.6.2 Using the deny_local option to prevent access to the local system by unwanted users

LDAP-UX version 4.2 and later provides a simple and effective way to disable system access for

local user accounts that are also defined in the LDAP directory server. Without this level of

security protection, an LDAP-UX user with the same user name or account number (UID) as a

user defined in the local system's /etc/passwd file, could illegitimately gain access to the local

system. For example, if the root user is defined in the local system's /etc/passwd file, an

LDAP-UX directory server administrator could create a user named “root” and then log in to

the local system based on the password associated with user “root” on the directory server.

To disable system access for local user accounts that are also defined in the LDAP directory

server, configure the deny_local option in the PAM configuration file /etc/pam.conf,

entering a line for each service, in the following format:

service module_type required libpam_ldap.so.1 deny_local

where:

service

Specifies the service used for accessing the system

module_type

Specifies the service module type: authentication (auth), account

management (account), session management (session), or password

management (password). Typically, the deny_local option is

specified for both authentication and account management, and for

all PAM-enabled services.

required

Specifies the control flag as required (mandatory).

libpam_ldap.so.1

Specifies the pathname to the PAM_LDAP library object that

implements the service functionality. If the pathname is not absolute,

it is assumed to be relative to /usr/lib/security/$ISA/.

2.5 Post-installation configuration tasks 107