HP UX LDAP-UX Integration Software manual 121

Administering LDAP-UX Client Services

Integrating with Trusted Mode

expiration, password syntax checking, and account expiration. No policies of the HP-UX Trusted Mode product apply to accounts stored in the LDAP server.

•When you integrate LDAP-UX on an HP-UX 11i v1 or 11i v2 system with the Netscape Directory Server, if an LDAP-based user attempts to login to the system, but provides the incorrect password multiple times in a row (the default is three times in a row), Trusted Mode attempts to lock the account. However, the Trusted Mode attributes do not impact LDAP-based accounts. So, if the user eventually provides the correct password, he or she can login.

PAM Configuration File

•If you integrate LDAP-UX Client Services with the Netscape Directory Server, you must define the pam_ldap library before the pam_unix library in the /etc/pam.conf file for all services. You must set the control flag for both pam_ldap and pam_unit libraries to required under session management. Refer to Appendix C, “Sample /etc/pam.ldap.trusted file,” on page 191 for the proper configuration.

•If you integrate LDAP-UX Client Services with the Windows 2000/2003 Active Directory Server, you must define the pam_krb5 library before the pam_unix library in the /etc/pam.conf file for all services. In addition, the control flag for both pam_krb5 and pam_unix libraries must be set to required for Session management. Refer to Appendix F and Appendix G on LDAP-UX Client Services B.04.00 With Microsoft Windows 2000/2003 Active Directory Administrator’s Guide for the proper configuration.

Others

•The authck -dcommand removes the /tcb/files/auth/... files created for LDAP-based accounts. When the LDAP-based account logs into the system again, a new /tcb/files/auth/... file with new audit ID is recreated. Therfore, it is not recommended to run the authck -dcommand when you configure LDAP-UX with Trusted Mode.

•You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based accounts.

•The LDAP repository and /etc/passwd repository must not contain accounts with the same login name or account number.