Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
the user or group is not in the respective files. /etc/nsswitch.ldap is an example of this
configuration.
Do you need to set up login authorization for a subset of users from a large repository such
as a directory server? How will you set up the access policy file and /etc/pam.conf files
to implement this feature?
The PAM_AUTHZ service module for PAM provides functionality that allows the administrator
to control who can log in to the system. These modules are located at /usr/lib/security/
libpam_authz.1 on an HP 9000 (PA-RISC) machine and at libpam_authz.so.1 on
anHP Integrity server. The pam_authz module has been created to provide access control.
Starting with LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to allow
system administrators to configure and customize their local access rules in a local policy file,
/etc/opt/ldapux/pam_authz.policy. PAM_AUTHZ uses these access control rules
defined in the local policy file to control the login authorization. Because PAM_AUTHZ doesn't
provide authentication, it doesn't verify if a user account exists.
If the /etc/opt/ldapux/pam_authz.policy file does not exist in the system, PAM_AUTHZ
performs access control based on the netgroup information found in the /etc/passwd and
/etc/netgroup files. If the /etc/opt/ldapux/pam_authz.policy file exists in the
system, PAM_AUTHZ uses the access rules defined in the policy file to determine who can log
in to the system.
For detailed information on this feature and how to configure the /etc/opt/ldapux/
pam_authz.policy file, see Section 6.4 (page 98) or the pam_authz(5) manpage.
Do you want to configure the /etc/opt/ldaux/pam_authz.policy to enforce account
and password policies, stored in a directory server.
LDAP-UX provides pam_authz enhancement to support enforcement of account and password
policies, stored in a directory server. This feature works in conjunction with SSH (Secure Shell),
r-commands (rlogin, rcp, and so forth) with rhost enabled where authentication is not
performed by the PAM subsystem, but is performed by the command itself.
For detailed information on this feature and how to configure the pam_authz.policy file,
see Section 6.4.10 (page 108) for details.
How will you increase the security level of the product to prevent an unwanted user from
logging in to the system using LDAP? What is the procedure to set up increased login security?
The default is to allow all users stored in the directory server to log in. To disallow specific
users to log in to a local system, you can configure the disable_uid_range flag in /etc/
opt/ldapux/ldapux_client.conf file, as described in Section 2.5.4.1 (page 60).
How will you communicate with your user community about the change to Active Directory?
For the most part, your user community should be unaffected by the directory. Most HP-UX
commands will work as always.
Check the LDAP-UX Integration Release Notes for any other limitations and any solutions that
have been developed to workaround them.
2.4.3 Installing LDAP-UX Client Services on a client
These are the major steps required to install LDAP-UX Client Services on a client:
1. Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient
subproducts, on a client system. See the LDAP-UX Integration Release Notes for any last-minute
changes to this procedure. You don't need to reboot your system after installing the product.
2.4 Customized installation (setup) 33