Manualshelf

Internet Express for Tru64 UNIX Version 6.10 Administration Guide (5900-1418, March 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Internet Express Software
81828384858687888990
/etc/ldapusers.allow
If you want to disallow access to all but a few users, you must create the /etc/ldapusers.allow
file. The /etc/ldapusers.allow file is a text file in which you enter the name of a Tru64 UNIX
user who will only be authenticated by LDAP authentication.
If the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed
to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is
empty. The existence of this file invokes the stricter access control rules.
Additional considerations related to the /etc/ldapusers.deny and /etc/ldapusers.allow
files include the following:
Consider if the /etc/ldapusers.allow file is not present, then all the users except for
those in /etc/ldapusers.deny file should be allowed to log in.
If the /etc/ldapusers.allow file is present then only the users present in that file are
allowed to log in.
If an user is present in both /etc/ldapusers.allow and /etc/ldapusers.deny , then
the user should be allowed to log in. The /etc/ldapusers.allow file has a higher
precedence over /etc/ldapusers.deny .
If the user is not in either /etc/ldapusers.allow or /etc/ldapusers.deny, then the
user should not be allowed to log in.
Behavior of the the ldapdc Daemon
The ldapcd daemon runs at all times and is started by the following entry in the /etc/inittab
file:
ldapcd:34:respawn:/usr/sbin/ldapcd -D /dev/console 2&1
Thus, whenever ldapcd exits for some reason, the daemon is restarted using /etc/inittab.
Debugging ldapdc
To enable logging for ldapcd, add debug: 1 at the end of the /etc/ldapcd.conf file.
ldapcd logs a file as ldapcd.log.XXXX under /usr/tmp/, where XXXX is a randomly selected
value.
You may enable debug and look at the log file for any errors.
Operation of login/su
The login/su command inspects the /etc/sia/matrix.conf file and attempts to authenticate
users based on the mechanisms specified there. Consider the following situation in which the same
users are present in multiple databases, such as LDAP and NIS:
There are three users, user1, user2, and user3 in LDAP.
There are three users, user1, user4, and user5 in nis. ( Note that there is a user1 in both LDAP
and NIS).
An entry for user1 exists in /etc/ldapusers.deny.
To address this issue, the administrator should log in to the machine as root and run the following
command:
# su user2
The su operation first examines /etc/passwd, then in NIS and finally in LDAP ( based on the
entries in /etc/sia/matrix.conf) and authenticates the user with LDAP database as the user
that is present in LDAP. The command is successful.
Next, the administrator should run the following command as a root:
88 User Authentication