LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

361

362

363

364

365

366

367

368

369

370

# Setting the user password to be returned as any string for the hidden

# password could allow users with active accounts on a remote host to

# rlogin to the local host on to a disabled account.

#password_as="x"

# You can use the following configuration to specify initial Trusted Mode

# auditing for LDAP users. "0" will tell LDAP-UX to set initial auditing

# to be "off" for all LDAP users logging into this HP-UX client system, "1"

# will set initial auditing to be "on". You can change auditing by using

# "audusr -a/-d" (see "audusr" manual page).

# Note: Setting "initial_ts_auditing=1" will not enable auditing unless

# you have already started the auditing system, which can be done using

# SAM or "audsys -n" (see "audsys" manual page).

#initial_ts_auditing=0

# You can use the following configuration to specify which keytab file to

# use. If you don't specify a keytab file here, then the default keytab

# file will be used. The default is /etc/krb5.keytab or the one specified

# in /etc/krb5.conf file.

# Note: The following line is just an example. If your keytab file for

# LDAP-UX is not /etc/opt/ldapux/ldapux.keytab, you need to replace it

# with the one you want.

#kerberos_keytab_file=/etc/opt/ldapux/ldapux.keytab

# To use case insensitive matching for the netgroup service, for the

# innetgr() API, uncomment the line below.

#netgroup_case_ignore=1

# startTLS triggers a TLS negotiation with the communications layer

# of the LDAP Directory Server, allowing channel-level encryption

# for data security purposes.

# LDAP-UX performs a startTLS operation to establish TLS connection

# through an unencrypted port such as 389. Please reference to LDAP-UX

# administrator's guide and RFC2830 for more detailed information.

# By default startTLS is disabled. The support of startTLS

# extended operation is enabled when enable_startTLS is set to 1.

# To disable the feature, please set the value of enable_startTLS option

# to 0 or comment out the option.

# PLEASE READ

# Setting enable_startTLS to 1 does not alone configure TLS session

# encryption. It merely specifies that TLS should be used instead of

# SSL when encryption/validation is required. Just as with SSL,

# in order to fully enable TLS, the /etc/opt/ldapux/cert8.db must

# contain a CA or LDAP server certificate and TLS/SSL must be enabled in

# the LDAP-UX configuration profile (created by the /opt/ldapux/config/setup

# tool).

# Note: In future LDAP-UX releases, TLS will be enabled by default instead of

# SSL for new installations.

enable_startTLS=1

# You can use the following configuration to adjust the level of validation

# done of the SSL certificates of LDAP servers. There are three options

# available for peer_cert_policy:

# WEAK performs no validation of SSL certificates.

# CERT is the default and verifies that the issuers of peer SSL certificates

# are trusted.

# CNCERT performs both the CERT check and also verifies that the common name

# or subjectAltName values embedded in the certificate matches the

# address used to connect to the LDAP server, as described in RFC 4513.

# Please note that LDAP-UX normally stores the IP address of LDAP

# servers in the configuration profile, and certificates normally

# embed the host name or fully qualified host name. Therefore the

# preferredserverlist setting in the profile may need to be adjusted

# to address the LDAP server using its host name if this option is

# used. Host names may not be used in the profile if the system is

# configured to use LDAP-UX for host name resolution. Please see the

# documentation for details on manually adjusting the profile.

#peer_cert_policy=CERT

# LDAP-UX returns group information requested by initgroups(3C), which

362 Samples of LDAP-UX configuration files created or modified by autosetup