HP UX Internet Express Software manual Access Control

Page 78

Access Control

By default, users defined in the LDAP database are able to log into every system which uses that database in conjunction with the LDAP Module for System Authentication. If you want to limit user access to specific systems, use the access control files /etc/ldapusers.deny and /etc/ ldapusers.allow.

A default /etc/ldapusers.deny file is provided at installation time. Included are all of the standard system users: root, bin, daemon, and so on. If you want to deny access to a user, add that user's name to the /etc/ldapusers.deny file.

If you want to disallow access to all but a few users, use the /etc/ldapusers.allow file. If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty — its very existence invokes the stricter access control rules.

Utilities for Maintaining User Information in the LDAP Directory Server

The Internet Express software kit includes several utilities that you can use to maintain the extended LDAP directory server shipped with Internet Express. The following utilities, summarized in Table 5, are installed in the /usr/internet/ldap_tools directory:

ldap_checkSection : Checking the LDAP Server Configuration

passwd_extractSection : Extracting Users from the /etc/passwd File

ldap_add_userSection : Adding a User Entry

ldap_del_userSection : Deleting a User Entry

ldap_get_userSection : Retrieving a User Entry

ldap_sync_userSection : Synchronizing with a Password File

ldap_add_groupSection : Adding a Group Entry

ldap_mod_groupSection : Maintaining Group Membership

ldap_del_groupSection : Deleting a Group Entry

ldap_get_groupSection : Retrieving a Group Entry

ldap_passwdSection : Setting a User's Password in the LDAP Directory Server

ldap_enableSection : Starting the ldapcd Daemon

ldap_disableSection : Stopping the ldapcd Daemon

78 User Authentication

Page 77 Page 79
Image 78
Page 77 Page 79
Contents Internet Express for Tru64 Unix Version AbstractPage Contents User Authentication Mail Delivery Administration Mail Access Administration 132 Web Services Administration 155 XML Component Administration 164Network Security Administration 167 Proxy Services Administration 190 Ldap Directory Server Administration 195OpenSLP Administration 207 FTP Server Administration 213Samba File and Print Server Administration 216 InterNetNews Server Administration 225 Internet Relay Chat Administration 248Jabber 265 PostgreSQL Database and MySQL Administration 249Bind Domain Name Server Administration 260 Twiki 266About This Document Intended AudienceDocument Organization Computer output CommandTypographic Conventions User inputRelated Information Reading Documentation Using the Administration UtilityReading Documentation Using the Public Web Server Reading the DocumentationOn a Tru64 Unix System Reading Documentation from the Internet Express CD-ROMReading Reference Pages for Internet Express Components On a PC# man -M /usr/news/man active.5 Readers CommentsReading the Open Source Software Component Documentation Internet electronic mail readerscomment@zk3.dec.comReaders Comments Using the Administration Utility Using the Administration UtilityUsing the Administration Utility Main Menu Administration Utility Menu Options and TasksUsing Administration Utility Forms Registering Your Internet Express InstallationNavigating the Administration Utility Register OnlineSample Administration Utility Form Port Number Description Accessing Administration ServersInternet Express Accounts and Ports 8081 Internet ExpressAccessing the Internet Express Login Account Accessing and Managing the Internet MonitorManaging Internet Express in a TruCluster Environment Installing and Removing Components Using Internet Express Services in a ClusterTruCluster Impact on Internet Express Administration Hostname of the local host Installing and Removing ComponentsKeywords for URL Line Port number from the current Web serverAccessing Web-Based System Management Tools Performing Web-Based System ManagementTuning Kernel Attribute Values Accessing Web-Based System Management ToolsUsing the Administration Utility Where to Find More Information Internet Express and AlphaServer Products Web SitesOpen Source Software Web Sites FreeRADIUS ExpectFirefox GnuPGLynx Web Browser IRC ServerJabber Majordomo Automated Internet Mailing Lists ManagerOpenSLP MySQLOpenLDAP PerlPure-FTP Server PostgreSQL Relational Database Management SystemProcmail Mail Filtering Language Samba File and Print ServerSystem Security Web Sites InterNIC Other Useful Web SitesApplications MicrosoftEncompass User Administration Manage Users MenuUser Administration Overview of User AccountsSpecifying User Names Assigning Passwords to User AccountsPurging Obsolete Passwords Overview of User AccountsSearching for User Accounts Searching for User AccountsAssigning Users to Groups Selecting User AccountsCreating Captive Accounts for Named Users Shows the Create Named User Account formCreating Captive Accounts for Generic Users Creating a Named User AccountCreating a Noncaptive Account for a Unix System User Creating Generic User AccountsTo create a group, see Section Creating Groups Creating a Noncaptive Account for a Unix System UserCreating Groups Creating a System User AccountDisplaying User Account Information Creating GroupsDeleting User Accounts Displaying User Account InformationChanging Groups for User Accounts Changing Groups for User AccountsUser Administration Changing the Password for an Account Changing the Password for an AccountChanging Mail Services for Users Assigning Regular Delivery Mail Service Assigning POP with Password Mail ServiceChanging Mail Services for Users Assigning the Cyrus Imap Mail Service Assigning Cyrus Imap with Password Mail ServiceChanging the iass Account Forwarding Address Assigning Apop with Password Mail ServiceManaging the iass Account Managing the .users.list FilePurging Passwords for User Accounts Managing the User Self-Administration FeatureListing User Accounts and Passwords Removing the .users.list FileEnabling and Disabling the User Self-Administration Feature Managing the User Self-Administration FeatureManage User Self-Administration Menu Modifying the Web Server Configuration Configure Web Server for Self-Administration FormEnabling and Disabling Login Delays Modify Web Server ConfigurationManaging User Self-Administration Groups Adding GroupsDeleting and Modifying Groups Adding GroupsCustomizing the User Self-Administration Feature Enabling and Disabling GroupsUser Administration User Authentication Managing the Ldap Module for System AuthenticationManaging the Ldap Module for System Authentication Example 1 Security Matrix Enabled for Ldap User AuthenticationLdap Caching Daemon Example 2 Ldap Caching Daemon Configuration File Creating Branches Value of searchbase Value of machinedn Value of machinepassExtended Ldap Schema for Unix Account Information Userbranch ou=accounts,searchbaseIndexing Attributes for the Directory Servers Configuring the Ldap Module for System Authentication Adding Indices for OpenLDAPLdap Database Index Types Modifying the Ldap Module Configuration Configuring the Ldap Module for System AuthenticationDefining Ldap System Parameters Configuring Ldap Password Attributes Configuring Ldap Group Attributes Testing the Ldap Module Configuration Importing and Exporting Users from /etc/passwdEnabling and Disabling the Ldap Module Exporting Users from the Directory Server Importing Users into the Directory ServerImporting Users from NIS Adding an Ldap User in a C2 EnvironmentAccess Control Ldap Database Utilities File in which to store search results the default is Remove login names from specified groupRemove login names from all groups Authentication mechanismChecking the Ldap Server Configuration Extracting Users from the /etc/passwd FileAdding a User Entry Deleting a User Entry Retrieving a User EntrySynchronizing with a Password File Adding a Group EntryLdapsyncuser -b branch filename Maintaining Group Membership Deleting a Group EntryStarting the ldapcd Daemon Setting a Users Password in the Ldap Directory ServerRetrieving a Group Entry Ldapgetgroup -b branch -f input-fileAdding Entries to an Ldap Database Maintaining the Ldap Directory Server Using Ldap CommandsStopping the ldapcd Daemon Modifying Entries in an Ldap DatabaseOverview of the Ldap Client Authentication Actions PerformedFiles Modified by theLDAP Module for System Authentication Actions Performed by the Ldap ClientDebugging ldapdc Operation of login/suBehavior of the the ldapdc Daemon Etc/ldapusers.allow# su user1 Mail Delivery Administration Mail Delivery AdministrationSendmail Server Administration Bogofilter to filter spam Section Bogofilter Spam FilterConfiguring the System as a Mail Server Configuring the System as a Standalone Mail SystemConfiguring the System as a Mail Client Ldap see Section Configuring LdapCreating and Deleting Host Aliases for a Mail Server Changing the Sendmail Server Configuration Sendmail Server AdministrationThrough Section Configuring the X.25 Protocol Configuring Mail ProtocolsPSInet see Section Configuring the X.25 Protocol Creating and Deleting Pseudo Domain AliasesConfiguring the MTS Protocol Configuring the DECnet Phase IV ProtocolConfiguring the DECnet/OSI Protocol Configuring the Uucp Protocol Configuring the X.25 ProtocolConfiguring Masquerading Accessing the Configure Masquerading FormRoot Postmaster News Uucp Configuring Your System for Masquerading Mailer-daemon Rdist Nobody Daemon Pop ImapConfiguring Virtual Domains Example 4 Sample Virtual Domain Table# makemap btree virtusertable virtusertable Enabling Procmail as a Local Mailer Enabling Anti-VirusConfiguring Anti-Spam Configuring RelayingConfiguring the Access Database Example 5 Sample Access Database for the Sendmail ServerConfiguring an Access Database Configuring Ldap Configuring Checking on Senders InformationConfiguring Mail Filters Milter Shows the Configure Ldap formSocket inet61066@myhost.com Socket local/var/run/f1.sockSocket inet1099@remotehost.com Socket inet1066@myhost.com,T=C5mS10sR10sE5mSample -p local/var/run/example1.sock Configuring Queues Adding a Queue# sendmail -bt -q queue-name Modifying a Queue GroupDeleting a Queue Group Configuring Queue Performance Queue TimersGeneral Queue Properties Configuring Trusted Layer Security Sendmail TimersSendmail Tunable Parameters TLS Certificate Values Certificate DefaultsCertificate Issuer One that issues certificates a CA Certicate Authority Abbreviation Certificate AuthorityEnabling Support Using the Access Database Failure marked as temporary VERIFYbits CIname Sendmail Server AdministrationMarked as permanent SideConfiguring Mailbox Access Controlling the Sendmail ServerRelay or Subject Viewing the Sendmail Server Log Majordomo Mailing List AdministrationMajordomo Mailing List Administration Creating a Majordomo Mailing ListChanging a Majordomo Mailing List Configuration Changing List Owner or CharterChanging Administration Parameters Changing Subscription ParametersChanging Message Content Parameters Changing Command Access Parameters Changing Digest ParametersChanging Moderated List Parameters Changing List Restriction ParametersChanging Address Processing Parameters MailmanDeleting a Majordomo List MailmanDeleting a Mailing List Creating the Initial Mailman List Using a ScriptCreate a Mailing List Managing MailmanMailman Mailing List Administration Menu Mailman Log Files Bogofilter Spam FilterMailman Scripts Training BogofilterFilter Integration with Other Tools Using Bogofilter with procmailFiltering with Bogofilter Bogofilter/wordlist.dbMutt Integration with Bogofilter Pine Integration with BogofilterMail Transport Agent MTA Integration with Bogofilter Bogofilter Spam Filter Controlling the POP3 Server Mail Access AdministrationPOP Mail Server Administration Controlling the POP2 ServerImap Mail Server Administration Imap Mail Server AdministrationViewing the POP Mail Server Log Setting Up a Unix User Account for UW Imap Setting Up a Unix User Account for Cyrus ImapConverting Imap Mail Folders Usr/dt/bin/mailcv -evdt -I -f foldername directoryname user Controlling the Cyrus Imap ServerControlling the UW Imap Server Usr/dt/bin/mailcv -I -t -f ./bar dukeConfiguring SSL for UW-IMAP Viewing the Imap Server LogIMP Webmail Administration IMP Webmail AdministrationAccessing the IMP Webmail Administration Menu Enabling and Disabling IMP WebmailManaging Mail Server Settings Enable/Disable IMP WebmailIMP Mail Server Settings Modifying the Mail Server ListAdding a Mail Server IMP Mail Server List Settings Managing Mailbox Settings Modifying a Mail ServerDeleting a Mail Server Managing Compose Settings IMP Mailbox SettingsManaging Message Settings IMP Compose SettingsPreference settings Managing Logging Settings IMP Message SettingsIMP Logging Settings Managing Preference Driver Settings Preference Driver SettingsMiscellaneous IMP Settings Managing Miscellaneous IMP SettingsManaging Horde Settings Setting Description Allow usage of foldersHorde Settings Managing Turba Settings Setting Description Enabled Using IMP Upgrade ToolsIMP Turba Settings Have access to their addressbookUpgrading IMP Configurations Upgrading IMP DatabasesIMP Database Upgrade Settings Accessing IMP Webmail Additional Webmail DocumentationNew Preference Table Web Services Administration Secure Web Server AdministrationSecure Web Server Administration Accessing the Secure Web Servers Internet Express Ports and URLsWeb Server Management Changing Configuration ParametersConfiguration Files for Secure Web Servers ServerChanging the Password for the Administration Web Server Httpd.conf Srm.conf Access.confHt//Dig Search Tool Administration Ht//Dig Search Tool AdministrationCreating the Search Index Ht//Dig Indexing and Search Administration Link to Ht//Dig Search Index Updated Ht//Dig Configuration File Message Searching the Index DocumentationHttp//hostname/htdig/search.html XML Component Administration Directories and Subsets for XML ComponentsDirectories and Subsets for XML Components Apache Axis Server Administration Apache Axis Server AdministrationApache Cocoon Servlet Administration Managing the Apache Axis ServerManaging the Apache Cocoon Servlet Enabling and Disabling the Cocoon ServletViewing the Cocoon Log Files Network Services Wrapped by Internet Express Network Security AdministrationTCP Wrapper Administration Network Services Wrapped by Internet ExpressControlling Access to Other Network Services Modifying Access to a Wrapped Network ServiceTesting TCP Security Modifications Network Service Access OptionsFireScreen Administration FireScreen Administration MenuInstalling FireScreen FireScreen AdministrationChecking FireScreen Installation Prerequisites Etc/rc.config fileFireScreen Administration Install FireScreen Page with Gateway Screening Enabled Configuring FireScreen Setting Command-Line Options Configure FireScreen MenuSet Options Confirmation Setting the Screening Mode Adding a Screening RuleAdd New Screening Rule Form Checking Syntax of Screening Rules Deleting a Screening RuleStarting and Stopping FireScreen Starting FireScreenStart/Stop FireScreen Form with Restart Option Enabled Stopping FireScreenViewing FireScreen Status Viewing FireScreen Screening RulesViewing the FireScreen Log Snort Intrusion Detection System Viewing FireScreen StatisticsUsr/internet/docs/snort Snort documentation Option Disable Decode Alert Configuring Snort DecoderConfiguring Snort Preprocessor Snort -vd -l ./logFreeRADIUS Server Administration Running SnortViewing Alert Messages Starting and Stopping the FreeRADIUS Server Considerations While Installing FreeRADIUSUnderstanding FreeRADIUS Configuration Files Users FileConfigure --disable-shared make make install Clients.conf fileRadiusd.conf file Viewing FreeRADIUS Log File Proxy Services Administration Proxy Services AdministrationDante Socks Server Administration Controlling the Dante Socks ServerAccessing Dante Socks Information Squid Proxy/Caching Server AdministrationConfiguring the Dante Socks Server Squid Proxy/Caching Server AdministrationConfiguring the Squid Proxy/Caching Server Reinitializing the Disk CacheManaging the Squid Proxy/Caching Server Displaying Access Statistics Rotating Log FilesControlling the Squid Proxy/Caching Server Ldap Directory Server Administration Understanding the Ldap Directory SchemaUnderstanding the Ldap Directory Schema Using the Ldap Browser Ldap Directory Server AdministrationExample 6 Ldap Standard Object Class Definition for Person Managing Frequently Used Connections Installing and Running the Ldap BrowserConnecting to an Ldap Server Creating or Editing Frequently Used ConnectionsConnecting to an Ldap Server using SSL Using the Main Browsing Window Disconnecting from an Ldap ServerReconnecting to an Ldap Server Closing a Main Window Controlling Client-Side Schema CheckingOpening a New Main Window Viewing a Directory Entry in a Separate WindowDeleting a Directory Entry Adding a New Directory EntryModifying a Directory Entry Copying a Directory EntryAdding Attributes Renaming a Directory EntryMoving a Directory Entry Modifying AttributesCreating Entry Templates Deleting AttributesManaging Directory Entry Templates Modifying Entry TemplatesViewing the Object Class Schema Viewing the Attribute SchemaSearching the Directory Configuring the OpenLDAP Directory Server Managing and Using the OpenLDAP Directory ServerUser Configuration File Managing the OpenLDAP Directory ServerLdap Directory Server Administration OpenSLP Administration Configuration Files and ExamplesOpenSLP Overview Configuring OpenSLP Using the OpenSLP Configuration and Registration FilesConfiguring Optional Security Running the Services Configuring OpenSLPRunning the Example Configuration Considerations for Using SLP APIsDocumentation DocumentationOpenSLP Administration Administering Pure-FTP Server FTP Server AdministrationAdministering Pure-FTP Server Creating or Modifying an Anonymous Pure-FTP User AccountEnabling or Disabling chroot Enabling or Disabling Anonymous Pure-FTP AccessFTP Server Administration Upload /data/ftp /pub yes ftp daemonDisplaying Active Pure-FTP Users Enabling or Disabling Pure-FTP serverUnderstanding the smb.conf Configuration File Samba File and Print Server AdministrationOptions for Modifying the smb.conf Configuration File Samba File and Print Server AdministrationUnderstanding the smb.conf Configuration File WorkgroupAdd the following value Administering the Samba Server Using the Swat Program Configuring the Samba Server Using the Swat ProgramAdministering the Samba Server Using the Swat Program Samba File and Print Server Administration Configure the Samba Server Menu Configuring Global Variables Configuring Share ParametersManage passwords see Section Administering Passwords Controlling Printers Viewing the Current ConfigurationAdministering Passwords Viewing the Status of the ServerSamba File and Print Server Administration InterNetNews Server Administration 225Specifying INN Configuration Data InterNetNews Server AdministrationINN Daemons Configuring an External Newsfeed Configuring an External NewsfeedArticle Retention Period Displaying an External NewsfeedRecommended Spool Space for News Articles Days 12 GBAdding an External Newsfeed Typically, a newsfeed has the following flags set Modifying Newsfeed Defaults Modifying an External NewsfeedRemoving an External Newsfeed Managing Client Access Updating the Local Active FileDisplaying Client Access Groups Adding a Client Access GroupAccess Groups Form Fields Modifying an Existing Client Access Group Removing a Client Access GroupAdding Client Authentication Groups Displaying Client Authentication GroupsManaging Client Authentication Groups Client Authentication Groups Menu FieldsModifying Client Authentication Groups Usr/bin/news/auth/passwdDeleting Client Authentication Groups Configuring Storage OptionsConfiguring Storage Method Entries Configuring Storage OptionsOptions on the Configure Storage Menu Adding a New Storage Method ClassModifying a Storage Method Class Displaying Cnfs Entries Configuring the Cnfs Storage MethodDeleting a Storage Method Class Adding New Cnfs EntriesModifying Cnfs Entries Deleting Cnfs Entries Managing Article ExpirationDisplaying Article Expiration Definitions Managing Article ExpirationAdding an Article Expiration Definition Specific newsgroup for example, rec.photoManaging Article Expiration Modifying an Article Expiration Definition Specifying an Article Expiration DefinitionModifying the Retention Period for Expired Articles Managing Local NewsgroupsDeleting an Article Expiration Definition Managing Local NewsgroupsViewing INN Log Files Creating Local NewsgroupsDeleting Local Newsgroups Controlling the INN Server Controlling the INN ServerInternet Relay Chat Administration Internet Relay Chat AdministrationConfiguring IRC Controlling the IRC ServerInstalling PostgreSQL PostgreSQL Database and MySQL AdministrationInstalling PostgreSQL Starting and Stopping PostgreSQL ServerPostgreSQL Database and MySQL Administration Viewing the PostgreSQL Log FileAdministering PostgreSQL Accounts Administering PostgreSQL AccountsImportant Files and Directories Running the Postmaster Startup Script Setting up a Crontab Entry for Vacuuming DatabasesUsing Existing PostgreSQL Accounts PostgreSQL Files and DirectoriesSetting up a Crontab Entry for Vacuuming Databases PostgreSQL Database and MySQL Administration Setup Vacuum Crontab Form Scaling PostgreSQL #/sbin/init.d/postgres stop#/sbin/init.d/postgres start #/sbin/sysconfig -q ipc #ps -ef grep postmasterScaling PostgreSQL Starting and Stopping MySQL Administering MySQLDirectories and Files Established by MySQL Installation MySQL DirectoriesViewing the MySQL Error Log Starting and Stopping the MySQL Server Using a Command LineMySQL Configuration Files MySQL Log FilesImportant Bind Files and Directories Bind Domain Name Server AdministrationBind Overview Bind Files and DirectoriesBind Binary File Directories Enabling Bind Enter /sbin/init.d/named start Enter /sbin/rcinet start Running the Bind Startup ScriptBind Documentation Running the Bind Startup ScriptHttp//ops.ietf.org/dns/dynupd/secure-ddns-howto.html Jabber Controlling the Jabber ServerControlling the Jabber Server Twiki Starting TWikiTwiki Sample client server configuration Sample client server configurationStunnel Background OpenSSL Certificate Creation Sendmail Supplemental InformationCreating a Certificate of Authority Sample mail filter Section Mail Filter ExampleMail Filter Example Mail Filter ExampleSendmail Supplemental Information Smfiversion Glossary GlossaryFTP 273See also Https See TCP/IP 275Symbols IndexIndex Decus see Encompass deinstall.sh script Web site, 30 external newsfeed adding277 Index Ldap client, 87 Ldap commands Log file FireScreen viewing, 183 login account279 Index OpenLDAP Project Web site Poppassd server controlling281 Screening mode, 178 screening rule FireScreen TIN 283
Related manuals
Manual 34 pages 37.15 Kb
Top Page Image Contents