Administering LDAP-UX Client Services

Integrating with Trusted Mode

system for the first time, auditing for that account is immediately enabled or disabled. This flag is defined as the initial_ts_auditing parameter in the /etc/opt/ldapux/ldapux_client.conf file.

You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode attributes for LDAP-based accounts are not stored in the LDAP directory server. For example, enabling auditing for an account on host A does not enable auditing on host B.

Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not synchronized across hosts running in the Trusted Mode.

When an LDAP-based account name is changed, a new audit ID is generated on each host that the account is newly used on. The initial auditing flag is reset to the default value defined in the /etc/opt/ldapux/ldapux_client.conf file.

When an account is deleted from LDAP, the audit information for that account is not removed from the local system. If that account is re-used, the audit information from the previous account is re-used. You can choose to manually remove entries from the Trusted Mode database by removing the appropriate file under the /tcb/files/auth/... directory, where "..." defines the directory name based on the first character of the account name.

You can use the audisp command to display information about LDAP-based accounts. However, if an LDAP-based account has never logged in to the system (via telnet, rlogin, and so on), the audisp -u <username> command displays the message like “audisp: all specified users names are invalid."

Password and Account Policies

The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based accounts, and LDAP server policies are not enforced on local-based accounts. The password and account policies and limitations are described as followings:

Accounts stored and authenticated through the LDAP directory adhere to the security policies of the directory server being used. These policies are specific to the brand and version of the directory server product deloyed. Examples of these policies include password

106

Chapter 4

Page 120
Image 120
HP UX LDAP-UX Integration Software manual Password and Account Policies