HP UX Internet Express Software Debugging ldapdc, Operation of login/su, Behavior of the the ldapdc Daemon

/etc/ldapusers.allow

If you want to disallow access to all but a few users, you must create the /etc/ldapusers.allow file. The /etc/ldapusers.allow file is a text file in which you enter the name of a Tru64 UNIX user who will only be authenticated by LDAP authentication.

If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is empty. The existence of this file invokes the stricter access control rules.

Additional considerations related to the /etc/ldapusers.deny and /etc/ldapusers.allow files include the following:

•Consider if the /etc/ldapusers.allow file is not present, then all the users except for those in /etc/ldapusers.deny file should be allowed to log in.

•If the /etc/ldapusers.allow file is present then only the users present in that file are allowed to log in.

•If an user is present in both /etc/ldapusers.allow and /etc/ldapusers.deny , then the user should be allowed to log in. The /etc/ldapusers.allow file has a higher precedence over /etc/ldapusers.deny .

•If the user is not in either /etc/ldapusers.allow or /etc/ldapusers.deny, then the user should not be allowed to log in.

The ldapcd daemon runs at all times and is started by the following entry in the /etc/inittab file:

ldapcd:34:respawn:/usr/sbin/ldapcd -D /dev/console 2&1

Thus, whenever ldapcd exits for some reason, the daemon is restarted using /etc/inittab.

To enable logging for ldapcd, add debug: 1 at the end of the /etc/ldapcd.conf file.

ldapcd logs a file as ldapcd.log.XXXX under /usr/tmp/, where XXXX is a randomly selected value.

You may enable debug and look at the log file for any errors.

The login/su command inspects the /etc/sia/matrix.conf file and attempts to authenticate users based on the mechanisms specified there. Consider the following situation in which the same users are present in multiple databases, such as LDAP and NIS:

•There are three users, user1, user2, and user3 in LDAP.

•There are three users, user1, user4, and user5 in nis. ( Note that there is a user1 in both LDAP and NIS).

•An entry for user1 exists in /etc/ldapusers.deny.

To address this issue, the administrator should log in to the machine as root and run the following command:

#su user2

The su operation first examines /etc/passwd, then in NIS and finally in LDAP ( based on the entries in /etc/sia/matrix.conf) and authenticates the user with LDAP database as the user that is present in LDAP. The command is successful.

Next, the administrator should run the following command as a root:

88 User Authentication