LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
file using files and LDAP. For more information, see the nsswitch.conf(4) manpage and
"Configuring the Name Service Switch" in NFS Services Administrator's Guide at:
http://www.hp.com/go/hpux-core-docs (Click HP-UX 11i v3).
It is recommended you use files first, followed by LDAP for passwd, group and other supported
name services. With this configuration, NSS will first search files, then the directory if the user
or group is not in the respective files. /etc/nsswitch.ldap is an example of this
configuration.
• Do you need to set up login authorization for a subset of users from a large repository such
as a directory server? How will you set up the access policy file and /etc/pam.conf files
to implement this feature?
The PAM_AUTHZ service module for PAM provides functionality that enables the administrator
to control who can log in to the system. These modules are located at /usr/lib/security/
libpam_authz.1 on an HP 9000 (PA-RISC) machine and at libpam_authz.so.1 on
anHP Integrity server. The pam_authz module has been created to provide access control.
Starting with LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to enable
system administrators to configure and customize their local access rules in a local policy file,
/etc/opt/ldapux/pam_authz.policy. PAM_AUTHZ uses these access control rules
defined in the local policy file to control the login authorization. Because PAM_AUTHZ doesn't
provide authentication, it doesn't verify if a user account exists.
For detailed information on this feature and how to configure the /etc/opt/ldapux/
pam_authz.policy file, see Section 7.4 (page 199) or the pam_authz(5) manpage.
• Do you want to configure the /etc/opt/ldaux/pam_authz.policy to enforce account
and password policies, stored in a directory server.
LDAP-UX provides pam_authz enhancement to support enforcement of account and password
policies, stored in a directory server. This feature works in conjunction with ssh (secure shell),
r-commands (rlogin, rcp, and so forth) with rhost enabled where authentication is not
performed by the PAM subsystem, but is performed by the command itself.
For information about this feature and how to configure the pam_authz.policy file, see
Section 7.4.10 (page 210).
• How will you increase the security level of the product to prevent an unwanted user from
logging in to the system using LDAP? What is the procedure to set up increased login security?
The default is to allow all users stored in the directory server to log in. To disallow specific
users to log in to a local system, you can configure the disable_uid_range flag in /etc/
opt/ldapux/ldapux_client.conf file, as described in Section 3.5.4.1 (page 157).
• How will you communicate with your user community about the change to Active Directory?
For the most part, your user community should be unaffected by the directory. Most HP-UX
commands will work as always.
See the LDAP-UX Integration Release Notes for any other limitations and any solutions that
have been developed to workaround them.
3.4.4 Installing LDAP-UX Client Services on a client
These are the major steps required to install LDAP-UX Client Services on a client:
1. Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient
subproducts, on a client system. See the LDAP-UX Integration Release Notes for any last-minute
changes to this procedure. You don't need to reboot your system after installing the product.
134 Installing and configuring LDAP-UX Client Services for a Windows ADS environment