LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

401

402

403

404

405

406

407

408

409

410

For detailed information about tool usage, syntax, options, environment variables and return

codes supported by these tools, see “Command and tool reference” (page 276) and the

ldaphostmgr(1M) and ldaphostlist(1M) manpages.

• PAM_LDAP ignore option

If PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a typical

configuration in the Trusted Mode Environment), then when you lose access to your directory

server, you will have trouble accessing the system unless a set of so-called “recovery users”

is configured in the /etc/pam_user.conf file. This release supports the ignore option

for PAM_LDAP, which enables PAM_LDAP to be completely disregarded for specific local

users.

To enable this feature, you must set the ignore option for PAM_LDAP in the pam_user.conf

file for per-user configuration. When you use this option for PAM_LDAP, PAM returns

PAM_IGNORE.

This feature is not supported when using LDAP-UX Client Services with Windows ADS.

• proxy_is_restricted and allowed_attribute flags added to configuration file

The proxy_is_restricted and allowed_attribute flags are added to the [general]

section of the configuration file, ldapclientd.conf:

◦ proxy_is_restricted=yes|no

If the proxy user is configured in the LDAP-UX profile and defined in

/etc/opt/ldapux/pcred, this flag attests that the proxy user does not hold privileged LDAP

credentials, meaning the proxy user is restricted in its rights to access "private" information

in the directory server.

◦ allowed_attribute=service:attribute

Some applications, like /opt/ssh/bin/ssh, use ldapclientd to access information

in the directory server, such as the sshPublicKey for users and hosts. By setting

allowed_attribute, applications can access any defined attribute even if the

proxy_is_restricted value is set to no (the default).

These configuration parameters are required to help the ldaphostlist and ldapuglist

tools determine if it is OK for them to display arbitrary attributes. If you used autosetup to

configure LDAP-UX, these values are automatically set. If you have an existing installation or

use the custom install setup program, and are also using a proxy user, you should update

these values.

12.3 Related information

You can download the latest version of this document from:

http://www.hp.com/go/hpux-security-docs

Click HP-UX LDAP-UX Integration Software.

The following document is also available from the same site:

• LDAP-UX Integration Release Notes

For more information about LDAP-UX Integration and related products and solutions, visit the

following HP website:

http://h71028.www7.hp.com/enterprise/us/en/os/hpux11i-security-components.html

12.4 Typographic conventions

This document uses the following typographical conventions:

Book Title Title of a book or other document.

12.3 Related information 401