LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
• What name services will you use? How will you set up /etc/nsswitch.conf? In what
order do you want NSS to try services?
NSS is the Name Service Switch, providing naming services for user names, group names,
and other information. You can configure NSS to use files, LDAP, or NIS in any order and
with different parameters. For an example nsswitch.conf file using files and LDAP, see
/etc/nsswitch.ldap. For information on NSS, see the switch(4) manpage and the
"Configuring the Name Service Switch" chapter in NFS Services Administrator's Guide,
available at the following location:
http://www.hp.com/go/hpux-core-docs (Click HP-UX 11i v3).
HP recommends that you use files first, followed by LDAP for passwd, group, and other
supported name services. With this configuration, NSS will first search files, and if the name
service data is not in the respective files, then search the directory. The /etc/nsswitch.ldap
file is an example of this configuration.
• Do you need to configure login authorization for a subset of users from a large repository
such as an LDAP directory? How will you set up the /etc/opt/ldapux/pam_authz.policy
and /etc/pam.conf files to implement this feature?
The PAM_AUTHZ service module for PAM provides functionality that enables the administrator
to control who can log in to the system. These modules are located at /usr/lib/security/
libpam_authz.1 on a PA-RISC machine and at libpam_authz.so.1 on an HP Integrity
(IA64) server. The PAM_AUTHZ module has been created to provide access control similar
to the netgroup filtering feature that is performed by NIS. Starting with LDAP-UX Client Services
B.04.00, PAM_AUTHZ has been enhanced to enable system administrators to configure and
customize their local access rules in a local policy file, /etc/opt/ldapux/
pam_authz.policy. The PAM_AUTHZ module uses these access control rules defined in
the local policy file to control the login authorization. PAM_AUTHZ is intended to be used
when NIS is not used, such as when the PAM_LDAP or PAM_KERBEROS authentication modules
are used. Because PAM_AUTHZ does not provide authentication, it doesn't verify if a user
account exists.
If the /etc/opt/ldapux/pam_authz.policy file does not exist in the system, PAM_AUTHZ
provides access control based on the netgroup information found in the /etc/passwd and
/etc/netgroup files. If the /etc/opt/ldapux/pam_authz.policy file exists in the
system, PAM_AUTHZ uses the access rules defined in the policy file to determine who can log
in to the system.
For detailed information on this feature and how to configure the /etc/opt/ldapux/
pam_authz.policy file, see Section 7.4 (page 199) or the pam_authz(5) manpage.
• Do you want to configure the /etc/opt/ldaux/pam_authz.policy to enforce account
and password policies, stored in an LDAP directory server?
LDAP-UX provides PAM_AUTHZ enhancement to support enforcement of account and password
policies, stored in an LDAP directory server. This feature works in conjunction with secure shell
(ssh), r-commands (rlogin, rcp, and so forth) with rhost enabled where authentication is
not performed by the PAM subsystem, but is performed by the command itself.
For detailed information on this feature and how to configure the pam_authz.policy file,
see Section 7.4.10 (page 210).
• How will you communicate with your user community about the change to LDAP?
For the most part, your user community should be unaffected by the directory. Most HP-UX
commands will work as always.
See the Release Notes for any other limitations and tell your users how they can work around
them.
64 Installing and configuring LDAP-UX Client Services for an HP server environment