Manualshelf

LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
61626364656667686970
good idea to have as few profiles as necessary. To see what is in a profile and help you decide
how many different profiles you need, look at the posixNamingProfile object class in
“LDAP-UX Client Services object classes” (page 349).
If you are familiar with NIS, one possibility is to create a separate profile for each NIS domain.
Where in your directory will you put your profile?
The profile contains directory access information. It specifies how and where clients can
find user and group data in the directory. You can put the profile anywhere you want, as
long as the client systems can read it. For example, you might put it near your user data, or
you could put it in a separate administrative area. To simplify access permission, put the
profile in the same directory as your user and group data. Clients must have access to both
the profile and the user and group data. Figure 2-3 shows a configuration profile DN of
cn=profile1,ou=profiles,ou=unix,o=hp.com.
Figure 2-3 Example directory structure
host
data
profile 1
ou=profiles ou=hostsou=groups
ou=unix
o=hp.com
ou=people
group
data
user
data
Write your configuration profile DN on the worksheet in “Configuration worksheet
(page 347).
By what method will client systems bind to the directory?
Clients can bind to the directory anonymously. This is the default and is simplest to
administer. If you need to prevent access to your data from anonymous users, or your
directory does not support anonymous access, you can use a proxy user. If you configure a
proxy user, you can also configure anonymous access to be attempted in the event the proxy
user fails.
Write your client access method and proxy user DN, if needed, on the worksheet in
“Configuration worksheet” (page 347).
How will you increase the security level of the product to prevent an unwanted user from
logging in to the system through LDAP? What is the procedure to set up increased login
security?
The default is to allow all users stored in the LDAP directory to log in. To disallow specific
users to log in to a local system, you can configure the disable_uid_range flag in /etc/
opt/ldapux/ldapux_client.conf file, as described in Section 2.5.6.1 (page 106).
You can also use pam_authz or the deny_local option (in PAM_LDAP) to disable system
access for accounts defined in LDAP. For more information, about the PAM_AUTHZ service
module, see Section 5.3 (page 140) or the pam_authz(5) manpage. For information about the
deny_local option, see Section 2.5.6.2 (page 107).
What PAM authentication will you use? How will you set up the PAM configuration file
/etc/pam.conf? What other authentication do you want to use and in what order? Do
2.4 Customized installation (setup) 61