LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=administrator, cn=users, dc=nishpind" \

-w <passwd> -f /tmp/auto_indirect.ldif

3.5.4 Controlling user access to the system through LDAP

By default, all users stored in the directory server are allowed to log in to the local HP-UX client

system. LDAP-UX provides several ways to increase the security level to prevent unwanted users

from logging in to the local system through LDAP, including the following:

• Using the PAM_AUTHZ service module to control login access, as described elsewhere,

inSection 7.4 (page 199)

• Disabling logins to the local system from specified LDAP users by configuring the

disable_uid_range flag in the local client's startup file (/etc/opt/ldapux/

ldapux_client.conf), as described in Section 3.5.4.1 (page 157)

3.5.4.1 Using the disable_uid_range flag to prevent access to the local system by unwanted users

To disallow specific users to log in to a local system, you can set the disable_uid_range flag

in the local client's startup file/etc/opt/ldapux/ldapux_client.conf. The flag is in the

[NSS] section of the file. (HP recommends that you do not edit the [profile] section of the file.)

The following example shows the portion of the file containing the flag:

# You can disable specific users so that they are unable to log in

# through the LDAP server by uncommenting the "disable_uid_range"

# flag and adding the UID numbers you want to disable. For example:

# disable_uid_range=0-100,120,300-400

# Note: The list of UID numbers must be on one line and the maximum

# number of ranges is 20. The system will ignore the typos and white spaces.

#disable_uid_range=0

To enable and configure the flag, first save a copy of the /etc/opt/ldapux/

ldapux_client.conf file and edit the original. Then uncomment the flag (remove the #) and

enter the UID ranges. For example, the flag might look like this:

disable_uid_range=0-100, 300-450, 89

Another common example would be to disable root access, in which case the flag would look like

this: disable_uid_range=0.

NOTE:

• White spaces between numbers are ignored.

• Only one line of the list is accepted; however, the line can be wrapped.

• The maximum number of ranges is 20.

When the disable_uid_range is turned on, the disabled UIDs are not displayed when you run

commands such as pwget, listusers, and logins.

NOTE: The passwd command may still allow you to change a password for a disabled user

when alternative authentication methods that are not controlled by LDAP (such as PAM Kerberos)

are used.

3.5.5 Configuring subsequent client systems

Once you have configured your directory and one client system, you may configure subsequent

client systems by performing the steps described in Section 2.5.7 (page 110). If you used autosetup

to create your LDAP-UX domain, you should continue to use autosetup to configure subsequent

clients; to do this, you can run autosetup in silent mode, as described in Section 3.3.4.2

(page 127).

3.5 Postinstallation configuration tasks 157