LDAP-UX Client Services B.05.00 Administrator's Guide
5.2.2.2 Password and account policies
The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP
server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based
accounts, and LDAP server policies are not enforced on local-based accounts. The password and
account policies and limitations are described as followings:
• Accounts stored and authenticated through the LDAP directory adhere to the security
policies of the directory server being used. These policies are specific to the brand and version
of the directory server product deloyed. Examples of these policies include password
expiration, password syntax checking, and account expiration. No policies of the HP-UX
Trusted Mode product apply to accounts stored in the LDAP server.
• When you integrate LDAP-UX on an HP-UX system with the HP-UX Directory Server or
Redhat Directory Server, if an LDAP-based user attempts to log in to the system, but provides
the incorrect password multiple times in a row (the default is three times in a row), Trusted
Mode attempts to lock the account. However, the Trusted Mode attributes do not impact
LDAP-based accounts. So, if the user eventually provides the correct password, he or she
can log in.
5.2.2.3 PAM configuration file
• If you integrate LDAP-UX Client Services with the HP-UX Directory Server or Redhat
Directory Server, you must define the PAM_LDAP library before the pam_unix library in
the /etc/pam.conf file for all services. You must set the control flag for both PAM_LDAP
and PAM_UNIT libraries to required under session management. For the proper
configuration, see “Sample /etc/pam.ldap.trusted file configured by setup” (page 353) .
• If you integrate LDAP-UX Client Services with the Windows Server 2003 R2/2008 Active
Directory Server, you must define the pam_krb5 library before the pam_unix library in
the /etc/pam.conf file for all services. In addition, the control flag for both pam_krb5
and pam_unixlibraries must be set to required for Session management. For the proper
configuration, see the LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory
Server Administrator's Guide.
5.2.2.4 Others
• The authck -d command removes the /tcb/files/auth/... files created for
LDAP-based accounts. When the LDAP-based account logs into the system again, a new
/tcb/files/auth/... file with new audit ID is recreated. Therfore, it is not recommended
to run the authck -d command when you configure LDAP-UX with Trusted Mode.
• You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based
accounts.
• The LDAP repository and /etc/passwd repository must not contain accounts with the
same login name or account number.
• Except for the audit flag, you cannot modify other Trusted Mode properties/policies for
LDAP-based accounts. For example, attempting to lock an LDAP-based account by modifying
the Trusted Mode field for that user does not prevent that account from logging in to the
host. Instead, you must disable the account on the LDAP server itself. No runtime warning
will be given that the local locking of the account has no effect. It is important that all system
administrators are properly trained, so that administrative locks on accounts have the desired
effect.
5.2.3 Configuration parameter
LDAP-UX Client Services provides one configuration parameter, initial_ts_auditing,
available for you to configure the initial auditing setting for the LDAP-based account. This
parameter is defined in the /etc/opt/ldapux/ldapux_client.conf file.
5.2 Integrating with Trusted Mode 139