LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

131

132

133

134

135

136

137

138

139

140

If you update LDAP-UX Client Services from an older version, such as B.03.00 or B.03.10, the

new configuration file will be /opt/ldapux/newconfig/etc/opt/ldapux/

ldapclientd.conf.

5.2 Integrating with Trusted Mode

This section describes features and limitations, PAM configuration changes and configuration

parameter for integrating LDAP-UX with Trusted Mode.

5.2.1 Overview

LDAP-UX Client Services B.03.30 or later supports coexistence with Trusted Mode. This means

that local-based accounts can benefit from the Trusted Mode security policies, while LDAP-based

accounts benefit from the security policies offered by the LDAP server. This release of LDAP-UX

also enables LDAP-based and local-based accounts to be audited on the Trusted Mode.

The coexistence of LDAP-UX and Trusted Mode supports certain security features, but also has

limitations and usage requirements that you need to be aware of. For detailed information, see

“Features and limitations” (page 138).

5.2.2 Features and limitations

This subsection describes features and limitations of integrating LDAP-UX with Trusted Mode.

5.2.2.1 Auditing

Integrating LDAP-UX with Trusted Mode enables accounts stored in the LDAP directory to log

in to a local host and to be audited on the Trusted Mode. The following describes the auditing

features and limitations. To use these security features, you must enable the audit subsystem on

the Trusted Mode local host:

• Auditing of both LDAP-based and local-based (/etc/passwd) accounts is possible. By

default, auditing is disabled for all LDAP-based accounts. However, you can use the audusr

(option -a or -d) command to alter the auditing flag for individual LDAP-based account.

• For LDAP-based accounts that are not yet known to the system, you can configure an initial

setting for the auditing flag. You can configure this flag such that when an account becomes

known to the system for the first time, auditing for that account is immediately enabled or

disabled. This flag is defined as the initial_ts_auditing parameter in the /etc/opt/

ldapux/ldapux_client.conf file.

• You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode

attributes for LDAP-based accounts are not stored in the LDAP directory server. For example,

enabling auditing for an account on host A does not enable auditing on host B.

• Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not

synchronized across hosts running in the Trusted Mode.

• When an LDAP-based account name is changed, a new audit ID is generated on each host

that the account is newly used on. The initial_ts_auditing flag is reset to the default

value defined in the /etc/opt/ldapux/ldapux_client.conf file.

• When an account is deleted from LDAP, the audit information for that account is not removed

from the local system. If that account is re-used, the audit information from the previous

account is re-used. You can choose to manually remove entries from the Trusted Mode

database by removing the appropriate file under the /tcb/files/auth/... directory,

where "..." defines the directory name based on the first character of the account name.

• You can use the audisp command to display information about LDAP-based accounts.

However, if an LDAP-based account has never logged in to the system (via telnet, rlogin,

and so on), the audisp -u <username> command displays the message like "audisp:

all specified users names are invalid."

138 Administering LDAP-UX Client Services