Installing And Configuring
Plan Your Installation
•How will you increase the security level of the product to prevent an unwanted user from logging in to the system via LDAP? What is the procedure to set up increased login security?
The default is to allow all users stored in the LDAP directory to login. To disallow specific users to login to a local system, you will have to configure the disable_uid_range flag in /etc/opt/ldapux/ldapux_client.conf file. There are two sections in this file, the [profile] section and the [NSS] section. HP recommends that you do not edit the [profile] section. The [NSS] section contains the disable_uid_range flag along with two logging flags. For example, the flag might look like this:
Another common example would be to disable root access This flag would look like this: disable_uid_range=0.
When the disable_uid_range is turned on, the disabled uid will not be displayed when you run commands such as pwget, listusers, logins, etc.
NOTE | The passwd command may still allow you to change a password for a |
| disabled user when alternative authentication methods, such as |
| PAM Kerberos, are used since LDAP does not control these |
| subsystems. |
|
|
•What PAM authentication will you use? How will you set up /etc/pam.conf? What other authentication do you want to use & in what order?
PAM is the Pluggable Authentication Module, providing authentication services. You can configure PAM to use ldap, Kerberos, or other traditional UNIX locations (for example files, NIS, NIS+) as controlled by NSS. See pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for more information on PAM.
It is recommended you use
16 | Chapter 2 |