LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

...

passwd: compat

passwd_compat: files ldap

...

with:

...

passwd: files ldap

...

2. Configure internal Compat Mode processing inside ldapclientd:

a. /etc/opt/ldapux/ldapclientd.conf

Search for "flush_compat_info_time". This indicates how often ldapclientd will

refresh its cached copy of the netgroup structures defined in the /etc/passwd file. If

you make changes to the netgroup list in the /etc/passwd file, these changes will not

appear until this time period has passed or you have restarted or flushed the caches of

ldapclientd (-F). Adjust this value as needed, or leave as the default (1 day).

b. /etc/opt/ldapux/ldapux_client.conf

Search for "enable_compat_mode". To enable internal Compat Mode processing in

ldapclientd, set this value to 1.

NOTE: If LDAP-UX has been configured previously on your host, you must examine the newly

delivered configuration files found under /opt/ldapux/newconfig/etc/opt/ldapux.

Compare and merge the existing configuration files with those delivered in the newconfig

subdirectory.

3. Restart ldapclientd. Use the following commands:

# /opt/ldapux/bin/ldapclientd -k

# /opt/ldapux/bin/ldapclientd

4. If you change the netgroup list in the /etc/passwd or /etc/group, and want to force

ldapclientd to reflect the updated configuration, force ldapclientd to rebuild its cache

with the following command:

# /opt/ldapux/bin/ldapclientd -f

2.5.5.3.1 Limitations

When processing netgroup information for Compat Mode (that is, +@<netgroup>,

-@<netgroup> in /etc/passwd), internal Compat Mode processing in ldapclientd always

searches the LDAP directory first for definition of the netgroup entries and then the local /etc/

netgroup file. As a result, if the same network group with different group members is configured

in both /etc/netgroup and the LDAP directory, the members defined in the netgroup stored in

the LDAP directory will be used instead of the entries from the local /etc/netgroup file.

HP recommends that you do not configure netgroups with the same name in both the /etc/

netgroup file and the LDAP directory.

Also, long-term offline credential caching and integrated Compat Mode cannot be used together.

Long-term offline credential caching is discussed in Section 2.5.4 (page 101).

2.5.6 Controlling user access to the system through LDAP

By default, all users stored in the LDAP directory are allowed to log in to the local HP-UX client

system. LDAP-UX provides several ways to increase the security level to prevent unwanted users

from logging in to the local system through LDAP, including the following:

• Using the PAM_AUTHZ service module to control login access, as described elsewhere, in

Section 7.4 (page 199)

104 Installing and configuring LDAP-UX Client Services for an HP server environment