LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
disabled. This flag is defined as the initial_ts_auditing parameter in the /etc/opt/
ldapux/ldapux_client.conf file.
• You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode attributes
for LDAP-based accounts are not stored in the LDAP directory server. For example, enabling
auditing for an account on host A does not enable auditing on host B.
• Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not synchronized
across hosts running in the Trusted Mode.
• When an LDAP-based account name is changed, a new audit ID is generated on each host
that the account is newly used on. The initial_ts_auditing flag is reset to the default
value defined in the /etc/opt/ldapux/ldapux_client.conf file.
• When an account is deleted from LDAP, the audit information for that account is not removed
from the local system. If that account is reused, the audit information from the previous account
is reused. You can choose to manually remove entries from the Trusted Mode database by
removing the appropriate file under the /tcb/files/auth/... directory, where "..."
defines the directory name based on the first character of the account name.
• You can use the audisp command to display information about LDAP-based accounts.
However, if an LDAP-based account has never logged in to the system (through telnet,
rlogin, and so forth), the audisp -u <username> command displays the message like
"audisp: all specified users names are invalid."
7.2.2.2 Password and account policies
The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP
server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based
accounts, and LDAP server policies are not enforced on local-based accounts. The password and
account policies and limitations are described as follows:
• Accounts stored and authenticated through the LDAP directory adhere to the security policies
of the directory server being used. These policies are specific to the brand and version of the
directory server product deloyed. Examples of these policies include password expiration,
password syntax checking, and account expiration. No policies of the HP-UX Trusted Mode
product apply to accounts stored in the LDAP server.
• When you integrate LDAP-UX on an HP-UX system with a supported directory server, if an
LDAP-based user attempts to log in to the system, but provides the incorrect password multiple
times in a row (the default is three times in a row), Trusted Mode attempts to lock the account.
However, the Trusted Mode attributes do not impact LDAP-based accounts. So, if the user
eventually provides the correct password, he or she can log in.
7.2.2.3 PAM configuration file
• If you integrate LDAP-UX Client Services with the HP-UX Directory Server or Red Hat Directory
Server, you must define the PAM_LDAP library before the pam_unix library in the /etc/
pam.conf file for all services. You must set the control flag for both PAM_LDAP and PAM_UNIT
libraries to required under session management. For the proper configuration, see
Section D.3 (page 426).
• If you integrate LDAP-UX Client Services with the Windows Server 2003 R2 or 2008 Active
Directory Server, you must define the pam_krb5 library before the pam_unix library in the
/etc/pam.conf file for all services. In addition, the control flag for both pam_krb5 and
pam_unixlibraries must be set to required for session management. For the proper
configuration, see Section D.4 (page 428).
7.2 Integrating LDAP-UX with Trusted Mode 195