HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

311

312

313

314

315

316

317

318

319

320

7.5.2 Configuring autobind

Configuring autobind alone allows anonymous access to the Directory Server. It is possible to

enable mapping Unix users to entries and also to map root to Directory Manager.

1. Run ldapmodify to update the Directory Server configuration.

ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com

dn: cn=config

changetype: modify

2. Enable autobind.

replace: nsslapd-ldapiautobind

nsslapd-ldapiautobind: on

3. To map user entries, add four attributes:

• nsslapd-ldapimaptoentries to enable entry mapping

• nsslapd-ldapiuidnumbertype to set the Directory Server attribute to map to the

Unix UID number

• nsslapd-ldapigidnumbertype to set the Directory Server attribute to map to the

Unix group ID number

• nsslapd-ldapientrysearchbase to set the search base to use to find Directory

Server user entries

add: nsslapd-ldapimaptoentries

nsslapd-ldapimaptoentries: on

add: nsslapd-ldapiuidnumbertype

nsslapd-ldapiuidnumbertype: uidNumber

add: nsslapd-ldapigidnumbertype

nsslapd-ldapigidnumbertype: gidNumber

add: nsslapd-ldapientrysearchbase

nsslapd-ldapientrysearchbase: ou=people, dc=example, dc=com

4. To map the root entry to Directory Manager, add the nsslapd-ldapimaprootdn attribute:

add: nsslapd-ldapimaprootdn

nsslapd-ldapimaprootdn: cn=Directory Manager

5. Restart the server to apply the new configuration.

/opt/dirsrv/slapd-instance_name/restart-slapd example

7.6 Using the account policy plug-in for inactivity limits

Some security regulations require that inactive or unused accounts be disabled or removed. This

policy assures that these accounts are not unnecessarily exposed to attack. The account inactivity

policy helps to automate the disabling of such idle accounts.

The account policy plug-in provides the following functionality:

• Fine-grained, per-user or per-subtree account inactivity policies that mimic fine-grained password

policies

• Tracking the last login time, recorded in an attribute in each account after successful

authentication

• An enforcement mechanism that compares the inactivity time elapsed since the last login to

the maximum allowed inactivity period specified by the policy

7.6 Using the account policy plug-in for inactivity limits 313