Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
6.2.2.2 Password and account policies
The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP
server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based
accounts, and LDAP server policies are not enforced on local-based accounts. The password and
account policies and limitations are described as followings:
Accounts stored and authenticated through the LDAP server adhere to the security policies of
the directory server being used. These policies are specific to the brand and version of the
directory server product deloyed. Examples of these policies include password expiration,
password syntax checking, and account expiration. No policies of the HP-UX Trusted Mode
product apply to accounts stored in the LDAP server.
An LDAP-based user logging into a system with an expired password is not allowed to log in,
and no error or warning message is given. You can avoid the problem by changing the
password before it expires or by using an alternative method to change the LDAP password.
When you integrate LDAP-UX on the HP-UX 11i v2 system with the Windows 2003 R2 or
2008 Active Directory Server, if an LDAP-based user attempts to log in to the system, but
provides the incorrect password multiple times in a row (the default is three times in a row),
Trusted Mode attempts to lock the account. However, LDAP-based accounts are not impacted
by the Trusted Mode attributes. So, if the user eventually provides the correct password, he
or she can log in.
6.2.2.3 Pam configuration file
If you integrate LDAP-UX with the Windows 2003 R2 or 2008 Active Directory Server, define
the pam_krb5 library before the pam_unix library in the /etc/pam.conf file for all services.
In addition, set the control flag for both pam_krb5 and pam_unixlibraries to required for
session management. For a sample of the proper configuration (for Trusted Mode), see
Section C.2 (page 152).
6.2.2.4 Others
The authck -d command removes the /tcb/files/auth/... files created for LDAP-based
accounts. When the LDAP-based account logs into the system again, a
new/tcb/files/auth/... file with new audit ID is recreated. Therfore, it is not
recommended to run the authck -d command when you configure LDAP-UX with Trusted
Mode.
You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based
accounts.
The LDAP repository and /etc/passwd repository must not contain accounts with the same
login name or account number.
Except for the audit flag, you cannot modify other Trusted Mode properties/policies for
LDAP-based accounts. For example, if you attempt to lock an LDAP-based account by modifying
the Trusted Mode field for that user, it does not prevent that account from logging in to the
host. Instead, you must disable the account on the LDAP server itself. No runtime warning will
be given that the local locking of the account has no effect. It is important that all system
administrators are properly trained, so that administrative locks on accounts have the desired
effect.
6.2.3 Configuration parameter
LDAP-UX Client Services provides one configuration parameter, initial_ts_auditing, available
for you to configure the initial auditing setting for the LDAP-based account. This parameter is defined
in the /etc/opt/ldapux/ldapux_client.conf file.
6.2 Integrating with trusted mode 95