LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
+@webadmin::::::
...
While this feature was typically used to control which groups of users could log in to a particular
host, it also could be used to obscure or override fields of a user’s passwd entry. For example,
an administrator could force a particular group of users to use a specific login shell by inserting
the desired path to the desired login shell in the 7th field of the entry (the login shell is positionally
defined as the 7th field in each entry in the /etc/passwd file.):
...
+@icsuteam::::::/usr/local/bin/supportapp
...
+:x
In the previous example, any user that is a member of the icsuteam will be forced to run the
supportapp upon login to the system, regardless of how their personal login shell is defined in
the NIS passwd map. The +:x as the last line of the /etc/passwd file indicates that all remaining
accounts managed in the NIS passwd map will be visible on the system, but their passwords will
be masked with an x, which traditionally would prevent login.
2.5.5.2 Netgroups in LDAP
With LDAP, the ability to use netgroups to control which groups of users are visible on a host, or
which fields are masked, is still available. System administrators can enable NIS Compat Mode
by defining the following sequence in the /etc/nsswitch.conf file:
...
passwd: compat
passwd_compat: files ldap
...
The first line indicates that the passwd name service should operate in the traditional Compatibility
Mode, allowing netgroups to be specified in the /etc/passwd file. The second line indicates
that the files and LDAP repositories should be used as the name service repository for finding the
user accounts referenced by those netgroups.
However, use of Compat Mode with an LDAP repository can greatly impact performance of the
name service system. When Compat Mode is used to mask passwd entries, numerous requests to
the directory server must be generated to examine the netgroups to find their members and then
search for each individual member. While ldapclientd can cache netgroup and passwd
entries, the name service subsystem does the actual processing to generate the proper masked
results. In this case, while caching does improve performance, it places an extreme load on the
CPU from the ldapclientd caching daemon, as it resolves the numerous requests from the name
service subsystem.
Most deployments use Compat Mode just to control which users are allowed to log in to the host.
In this case, the libpam_authz library can be used to control which users can log in to the host,
based on the netgroups listed in the /etc/passwd file. (For more information about using
PAM_AUTHZ login authorization and libpam_authz, see Section 7.4 (page 199).) Compat Mode
can therefore be disabled. However, for deployments that rely on the field-masking feature of
Compat Mode, no alternative was available. In these situations, if a large organization used
numerous netgroups with many users, CPU usage of ldapclientd could reach maximum limits.
As a means to greatly mitigate the performance impacts of Compat Mode field masking, LDAP-UX
has integrated Compat Mode support directly into ldapclientd, allowing caching of Compat
Mode user entries.
2.5.5.3 Configuring integrated Compat Mode
To enable integrated Compat Mode, you must perform four configuration steps:
1. Disable Compat Mode in the name service switch. In the /etc/nsswitch.conf file, replace
the following:
2.5 Postinstallation configuration tasks 103