LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

dn:cn=auto_indirect,dc=nisserv1

objectClass: top

objectClass: automountMap

automountMapName: auto_indirect

cn: auto_indirect

dn:cn=lab1,cn=auto_indirect, dc=nisserv1

objectClass: top

objectClass: automount

automountInformation: hostA:/tmp

automountKey: lab1

cn: lab1

dn:cn=lab2,cn=auto_indirect,dc=nisserv1

objectClass: top

objectClass: automount

automountInformation: hostB:/tmp

automountKey: lab2

cn: lab2

You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file

/tmp/auto_indirect.ldif that you just created above into the directory server. For example,

the following command imports the /tmp/auto_indirect.ldif file to the LDAP base DN

"dc=nisserv1" in the directory server LDAPSERV1:

/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager" \

-w <passwd> -f /tmp/auto_indirect.ldif

2.5.4 Preventing unwanted users from accessing the system through LDAP

By default, all users stored in the directory server are allowed to log in to the local HP-UX client

system. LDAP-UX provides several ways to increase the security level to prevent unwanted users

from logging in to the local system through LDAP, including the following:

• Using the PAM_AUTHZ service module to control login access, as described elsewhere,

inSection 6.4 (page 98)

• Disabling logins to the local system from specified LDAP users by configuring the

disable_uid_range flag in the local client's start-up file (/etc/opt/ldapux/

ldapux_client.conf), as described in Section 2.5.4.1 (page 60)

2.5.4.1 Using the disable_uid_range flag to prevent access to the local system by unwanted users

To disallow specific users to log in to a local system, you can set the disable_uid_range flag

in the local client's start-up file/etc/opt/ldapux/ldapux_client.conf. The flag is in the

[NSS] section of the file. (HP recommends that you do not edit the [profile] section of the file.) The

following example shows the portion of the file containing the flag:

# You can disable specific users so that they are unable to log in

# through the LDAP server by uncommenting the "disable_uid_range"

# flag and adding the UID numbers you want to disable. For example:

# disable_uid_range=0-100,120,300-400

# Note: The list of UID numbers must be on one line and the maximum

# number of ranges is 20. The system will ignore the typos and white spaces.

#disable_uid_range=0

To enable and configure the flag, first save a copy of the /etc/opt/ldapux/

ldapux_client.conf file and edit the original. Then uncomment the flag (remove the #) and

enter the UID range(s). For example, the flag might look like this:

disable_uid_range=0-100, 300-450, 89

Another common example would be to disable root access, in which case the flag would look like

this: disable_uid_range=0.

60 Installing LDAP-UX Client Services