LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
• Disabling logins to the local system from specified LDAP users by configuring the
disable_uid_range flag in the local client's startup file (/etc/opt/ldapux/
ldapux_client.conf), as described in Section 2.5.6.1 (page 105)
• Preventing unwarranted access to the local system by users defined in the LDAP directory
server that have equivalent user names or user identification numbers (UIDs) in the local system
/etc/passwd file, as described in Section 2.5.6.2 (page 105) (this feature is not supported
for Windows ADS)
• Using the ignore option to enable specified users to be ignored by PAM_LDAP authentication,
as described in Section 2.5.6.3 (page 108) (this feature is not supported for Windows ADS)
2.5.6.1 Using the disable login flag to prevent access to the local system by unwanted users
To disallow specific users to log in to a local system, you can set the disable login flag
disable_uid_range in the local client's startup file/etc/opt/ldapux/
ldapux_client.conf. The flag is in the [NSS] section of the file. (HP recommends that you
do not edit the [profile] section of the file.) The following example shows the portion of the
file containing the flag:
#
# You can disable specific users so that they are unable to log in
# through the LDAP server by uncommenting the "disable_uid_range"
# flag and adding the UID numbers you want to disable. For example:
#
# disable_uid_range=0-100,120,300-400
#
# Note: The list of UID numbers must be on one line and the maximum
# number of ranges is 20. The system will ignore the typos and white spaces.
#
#disable_uid_range=0
To enable and configure the flag, first save a copy of the /etc/opt/ldapux/
ldapux_client.conf file and edit the original. Then uncomment the flag (remove the #) and
enter the UID ranges. For example, the flag might look like this:
disable_uid_range=0-100, 300-450, 89
Another common example would be to disable root access, in which case the flag would look like
this: disable_uid_range=0.
NOTE:
• White spaces between numbers are ignored.
• Only one line of the list is accepted; however, the line can be wrapped.
• The maximum number of ranges is 20.
When the disable_uid_range is turned on, the disabled UIDs are not displayed when you run
commands such as pwget, listusers, and logins.
NOTE: The passwd command may still allow you to change a password for a disabled user
when alternative authentication methods that are not controlled by LDAP (such as PAM Kerberos)
are used.
2.5.6.2 Using the deny_local option to prevent access to the local system by unwanted users
Supported for HP directory server environments only.
LDAP-UX version 4.2 and later provides a simple and effective way to disable system access for
local user accounts that are also defined in the LDAP directory server. Without this level of security
protection, an LDAP-UX user with the same user name or account number (UID) as a user defined
in the local system's /etc/passwd file, could illegitimately gain access to the local system. For
example, if the root user is defined in the local system's /etc/passwd file, an LDAP-UX directory
2.5 Postinstallation configuration tasks 105