LDAP-UX Client Services B.05.00 Administrator's Guide
IMPORTANT: If you attempt to use this new feature, in the ldapclientd.conf file, the
start configuration parameter of the printer services section must be set to yes. If the
start option is enabled, the printer configurator will start when ldapclientd is
initialized. By default, the start parameter is enabled.
• Do you want to import the NIS publickey schema into your LDAP directory if you choose
to store and manage NIS publickeys in the LDAP directory.
LDAP-UX Client Services supports discovery and management of NIS publickeys in an
LDAP directory. Both public and private (secret) keys, used by the SecureRPC API can be
stored in user and host entries in an LDAP directory server, using the nisKeyObject
objectclass.
• Do you want to import the automount schema into your LDAP directory server if you choose
to store and manage automount maps in the LDAP directory?
LDAP-UX Client Services supports the automount service under the AutoFS subsystem.
This new feature allows you to store or retrieve automount maps in/from an LDAP directory.
LDAP-UX Client Services supports the new automount schema based on RFC 2307-bis. The
nisObject automount schema can also be used if configured through attribute mappings.
For the detailed information about AutoFS with LDAP support, see Section 2.5.3 (page 95).
• What name services will you use? How will you set up /etc/nsswitch.conf? In what
order do you want NSS to try services?
NSS is the Name Service Switch, providing naming services for user names, group names,
and other information. You can configure NSS to use files, LDAP, or NIS in any order and
with different parameters. For an example nsswitch.conf file using files and LDAP, see
/etc/nsswitch.ldap. For information on NSS, see the switch(4) manpage and the
"Configuring the Name Service Switch" chapter in NFS Services Administrator's Guide, available
at the following location:
http://www.hp.com/go/hpux-core-docs (Click HP-UX 11i v3).
HP recommends that you use files first, followed by LDAP for passwd, group, and other
supported name services. With this configuration, NSS will first check files, and if the name
service data is not in the respective files, then check the directory. The /etc/nsswitch.ldap
file is an example of this configuration.
• Do you need to configure login authorization for a subset of users from a large repository
such as an LDAP directory? How will you set up the /etc/opt/ldapux/
pam_authz.policy and /etc/pam.conf files to implement this feature?
The PAM_AUTHZ service module for PAM provides functionality that allows the
administrator to control who can log in to the system. These modules are located at /usr/
lib/security/libpam_authz.1 on a PA-RISC machine and at libpam_authz.so.1
on the HP Integrity (IA64) server. The PAM_AUTHZ module has been created to provide
access control similar to the netgroup filtering feature that is performed by NIS. These
modules are located at /usr/lib/security/libpam_authz.1 on a PA-RISC machine
(libpam_authz.so.1 on the Integrity server machine. Starting with LDAP-UX Client
Services B.04.00, PAM_AUTHZ has been enhanced to allow system administrators to
configure and customize their local access rules in a local policy file, /etc/opt/ldapux/
pam_authz.policy. The PAM_AUTHZ module uses these access control rules defined
in the local policy file to control the login authorization. PAM_AUTHZ is intended to be
used when NIS is not used, such as when the PAM_LDAP or PAM_KERBEROS authentication
modules are used. Because PAM_AUTHZ doesn't provide authentication, it doesn't verify
if a user account exists.
If the /etc/opt/ldapux/pam_authz.policy file does not exist in the system,
PAM_AUTHZ provides access control based on the netgroup information found in the
2.4 Customized installation (setup) 63