Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
61626364656667686970
the user and group data. Figure 9 shows a configuration profile DN of
cn=profile1,ou=profiles,ou=unix,o=hp.com.
Figure 9 Example directory structure
host
data
profile 1
ou=profiles ou=hostsou=groups
ou=unix
o=hp.com
ou=people
group
data
user
data
Write your configuration profile DN on the worksheet in “Configuration worksheet” (page 403).
By what method will client systems bind to the directory?
Clients can bind to the directory anonymously. This is the default and is simplest to administer.
If you need to prevent access to your data from anonymous users, or your directory does not
support anonymous access, you may use a proxy user. If you configure a proxy user, you
may also configure anonymous access to be attempted in the event the proxy user fails.
Write your client access method and proxy user DN, if needed, on the worksheet in
“Configuration worksheet” (page 403).
How will you increase the security level of the product to prevent an unwanted user from
logging in to the system through LDAP? What is the procedure to set up increased login
security?
The default is to allow all users stored in the LDAP directory to log in. To disallow specific
users to log in to a local system, you can configure the disable_uid_range flag in /etc/
opt/ldapux/ldapux_client.conf file, as described in Section 2.5.6.1 (page 105).
You may also use pam_authz or the deny_local option (in PAM_LDAP) to disable system
access for accounts defined in LDAP. For more information, about the PAM_AUTHZ service
module, see Section 7.4 (page 199) or the pam_authz(5) manpage. For information about the
deny_local option, see Section 2.5.6.2 (page 105).
What PAM authentication will you use? How will you set up the PAM configuration file /etc/
pam.conf? What other authentication do you want to use and in what order? Do you want
to use the Pam Authorization Service module (PAM_AUTHZ) for user access control?
PAM provides authentication services. You can configure PAM to use LDAP, Kerberos, or other
traditional UNIX locations (for example files or NIS) as controlled by NSS. For more information
about PAM, see the pam(3) and pam.conf(4) manpages, and the Managing Systems and
Workgroups: A Guide for HP-UX System Administrators document at the following location:
www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
Sample PAM configuration files and details about their structure are provided in “Sample
PAM configuration (pam.conf) files ” (page 420).
HP recommends that you use HP-UX file-based authentication first, followed by LDAP or other
authentication. The /etc/pam.ldap file is an example of this type of configuration (see the
sample file in Section D.1 (page 421)). With this configuration, PAM uses traditional
authentication first, searching /etc/passwd when any user logs in, then attempts to
62 Installing and configuring LDAP-UX Client Services for an HP server environment