HP UX LDAP-UX Integration Software manual 33

Installing And Configuring LDAP-UX Client Services

Plan Your Installation

See /etc/nsswitch.ldap for an example nsswitch.conf file using files and ldap. See switch(4) and “Configuring the Name Service Switch” in Installing and Administering NFS Services at http://docs.hp.com for more information.

It is recommended you use files first, followed by LDAP for passwd, group and other supported name services. With this configuration, NSS will first check files, then check the directory if the name service data is not in the respective files. /etc/nsswitch.ldap is an example of this configuration.

•Do you need to configure login authorization for a subset of users from a large repository such as an LDAP directory? How will you set up the /etc/opt/ldapux/pam_authz.policy and /etc/pam.conf

files to implement this feature?

The pam_authz service module for PAM provides functionality that allows the administrator to control who can login to the system. These modules are located at /usr/lib/security/libpam_authz.1 on the HP 9000 machine and at libpam_authz.so.1 on the Integrity (ia64) machine. pam_authz has been created to provide access control similar to the netgroup filtering feature that is performed by NIS. These modules are located at /usr/lib/security/libpam_authz.1 on the HP 9000 machine (libpam_authz.so.1 on the Integrity (ia64) machine). Starting with LDAP-UX Client Services B.04.00, pam_authz has been enhanced to allow system administrators to configure and customize their local access rules in a local policy file,

/etc/opt/ldapux/pam_authz.policy. pam_authz uses these access control rules defined in the

/etc/opt/ldapux/pam_authz.policy file to control the login authorization. pam_authz is intended to be used when NIS is not used, such as when the pam_ldap or pam_kerberos authentication modules are used. Because pam_authz doesn’t provide authentication, it doesn’t verify if a user account exists.

Starting with LDAP-UX Client Services B.04.00, if the

/etc/opt/ldapux/pam_authz.policy file does not exist in the system, pam_authz provides access control based on the netgroup information found in the /etc/passwd and /etc/netgroup files. If the /etc/opt/ldapux/pam_authz.policy file exists in the system, pam_authz uses the access rules defined in the policy file to determine who can login to the system.