Access Control

By default, users defined in the LDAP database are able to log into every system which uses that database in conjunction with the LDAP Module for System Authentication. If you want to limit user access to specific systems, use the access control files /etc/ldapusers.deny and /etc/ ldapusers.allow.

A default /etc/ldapusers.deny file is provided at installation time. Included are all of the standard system users: root, bin, daemon, and so on. If you want to deny access to a user, add that user's name to the /etc/ldapusers.deny file.

If you want to disallow access to all but a few users, use the /etc/ldapusers.allow file. If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty — its very existence invokes the stricter access control rules.

Utilities for Maintaining User Information in the LDAP Directory Server

The Internet Express software kit includes several utilities that you can use to maintain the extended LDAP directory server shipped with Internet Express. The following utilities, summarized in Table 5, are installed in the /usr/internet/ldap_tools directory:

ldap_checkSection : Checking the LDAP Server Configuration

passwd_extractSection : Extracting Users from the /etc/passwd File

ldap_add_userSection : Adding a User Entry

ldap_del_userSection : Deleting a User Entry

ldap_get_userSection : Retrieving a User Entry

ldap_sync_userSection : Synchronizing with a Password File

ldap_add_groupSection : Adding a Group Entry

ldap_mod_groupSection : Maintaining Group Membership

ldap_del_groupSection : Deleting a Group Entry

ldap_get_groupSection : Retrieving a Group Entry

ldap_passwdSection : Setting a User's Password in the LDAP Directory Server

ldap_enableSection : Starting the ldapcd Daemon

ldap_disableSection : Stopping the ldapcd Daemon

78 User Authentication