Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 LDAP-UX Client Services B.03.30 with Microsoft Windows 2000 Active Directory Administrator's Guide: HP-UX 11.0 and 11i v1 > Chapter 4 Administering LDAP-UX Client Services

Integrating with Trusted Mode
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This section describes features and limitations, PAM configuration changes and configuration parameter for integrating LDAP-UX with Trusted Mode.

Overview

The LDAP-UX Client Services B.03.30 supports coexistence with Trusted Mode. This means that local-based accounts can benefit from the Trusted Mode security policies while LDAP-based accounts benefit from the security policies offered by the LDAP server. This release of LDAP-UX provides extensive password and account policies, and also enables LDAP-based and local-based accounts to be audited on the Trusted Mode.

The coexistence of LDAP-UX and Trusted Mode supports certain security features, but also has limitations and usage requirements that you need to be aware of. For detailed information, see “Features and Limitations”.

NOTE: LDAP-UX can only coexist with Trusted Mode on the HP-UX 11i v1 system if your server is the Windows 2000 Active Directory Server.

Features and Limitations

This subsection describes features and limitations of integrating LDAP-UX with Trusted Mode.

Auditing

Integrating LDAP-UX with Trusted Mode enables accounts stored in the LDAP directory to login to a local host and to be audited on the Trusted Mode. The following describes the auditing features and limitations. To use these security features, you must enable the audit subsystem on the Trusted Mode local host:

  • Auditing of both LDAP-based and local-based (/etc/passwd) accounts is possible. By default, auditing is disabled for all LDAP-based accounts. However, you can use the audusr (option -a or -d) command to alter the auditing flag for individual LDAP-based account.

  • For LDAP-based accounts that are not yet known to the system, you can configure an initial setting for the auditing flag. You can configure this flag such that when an account becomes known to the system for the first time, auditing for that account is immediately enabled or disabled. This flag is defined as the initial_ts_auditing parameter in the /etc/opt/ldapux/ldapux_client.conf file.

  • You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode attributes for LDAP-based accounts are not stored in the LDAP directory server. For example, enabling auditing for an account on host A does not enable auditing on host B.

  • Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not synchronized across hosts running in the Trusted Mode.

  • When an LDAP-based account name is changed, a new audit ID is generated on each host that the account is newly used on. The initial auditing flag defined in the /etc/opt/ldapux/ldapux_client.conf file will be reset to the default value.

  • When an account is deleted from LDAP, the audit information for that account is not removed from the local system. If that account is re-used, the audit information from the previous account will be re-used. You can choose to manually remove entries from the Trusted Mode database by removing the appropriate file under the /tcb/files/auth/... directory, where "..." defines the directory name based on the first character of the account name.

  • You can use the audisp command to display information about LDAP-based accounts. However, if an LDAP-based account has never logged in to the system (via telnet, rlogin, and so on), the audisp -u <username> command will display the message like “audisp: all specified users names are invalid."

Password and Account Policies

The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based accounts, and LDAP server policies are not enforced on local-based accounts. The password and account policies and limitations are described as followings:

  • Accounts stored and authenticated through the LDAP server adhere to the security policies of the directory server being used. These policies are specific to the brand and version of the directory server product deloyed. Examples of these policies include password expiration, password syntax checking, and account expiration. No policies of the HP-UX Trusted Mode product apply to accounts stored in the LDAP server.

  • Expired passwords for LDAP-based accounts cannot be changed at the HP-UX login prompt on the HP-UX 11.00 Trusted Mode host. An LDAP-based user logging into a system with an expired password is not allowed to login, and no error or warning message is given. You can avoid the problem by changing the password before it expires or by using an alternative method to change the LDAP password, for example, the Netscape Web/LDAP Gateway. Changing expired passwords during login is not a limitation on the HP-UX 11i v1 Trusted Mode host, unless the Trusted Mode subsystem has attempted to lock the account.

  • When you integrate LDAP-UX on the HP-UX 11i v1 system with the Netscape Directory Server, if an LDAP-based user attempts to login to the system, but provides the incorrect password multiple times in a row (the default is three times in a row), Trusted Mode attempts to lock the account. However, LDAP-based accounts are not impacted by the Trusted Mode attributes. So, if the user eventually provides the correct password, he or she can login.

    If your LDAP server is the Windows 2000 Active Directory Server, and an LDAP-based user provides the incorrect password multiple times in a row, the account will be locked. You have to use the /usr/lbin/modprpw -l -k <username> command to unlock the account before the user can login again.

PAM Configuration File

  • If you integrate LDAP-UX with the Windows 2000 Active Directory Server, you must define the pam_krb5 library before the pam_unix library in the /etc/pam.conf file for all services. In addition, you must set the control flag for both pam_krb5 and pam_unix libraries to required for Account management and Session management. See Appendix F “Sample /etc/pam.conf File” for the proper configuration.

Others

  • On HP-UX 11.00, the authck command reports errors for each LDAP-based user account that has logged in to the system. The system will display the following error message: "xxx has a uid inconsistency (it’s nn in the Protected Password and 0 in /etc/passwd)" where "nn” is the user’s uid number.

  • You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based accounts.

  • The LDAP repository and /etc/passwd repository must not contain accounts with the same login name or account number.

  • Except for the audit flag, you cannot modify other Trusted Mode properties/policies for LDAP-based accounts. For example, if you attempt to lock an LDAP-based account by modifying the Trusted Mode field for that user, it does not prevent that account from logging in to the host. Instead, you must disable the account on the LDAP server itself. No runtime warning will be given that the local locking of the account has no effect. It is important that all system administrators are properly trained, so that administrative locks on accounts have the desired effect.

Configuration Parameter

LDAP-UX Client Services provides one configuration parameter, ts_initial_auditing, available for you to configure the initial auditing setting for the LDAP-based account. This parameter is defined in the /etc/opt/ldapux/ldapux_client.conf file.



Using the LDAP-UX Client Daemon
  		 


Adding Additional Domain Controllers  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.