Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)
4.3.5 Access Control
By default, users defined in the LDAP database are able to log into every system which uses that
database in conjunction with the LDAP Module for System Authentication. If you want to limit
user access to specific systems, use the access control files /etc/ldapusers.deny and
/etc/ldapusers.allow.
A default /etc/ldapusers.deny file is provided at installation time. Included are all of the
standard system users: root, bin, daemon, and so on. If you want to deny access to a user, add
that user's name to the /etc/ldapusers.deny file.
If you want to disallow access to all but a few users, use the /etc/ldapusers.allow file. If
the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed
to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is
empty — its very existence invokes the stricter access control rules.
4.4 Utilities for Maintaining User Information in the LDAP Directory Server
The Internet Express software kit includes several utilities that you can use to maintain the
extended LDAP directory server shipped with Internet Express. The following utilities,
summarized in Table 4-2, are installed in the /usr/internet/ldap_tools directory:
• ldap_check—Section 4.4.1: Checking the LDAP Server Configuration
• passwd_extract—Section 4.4.2: Extracting Users from the /etc/passwd File
• ldap_add_user—Section 4.4.3: Adding a User Entry
• ldap_del_user—Section 4.4.4: Deleting a User Entry
• ldap_get_user—Section 4.4.5: Retrieving a User Entry
• ldap_sync_user—Section 4.4.6: Synchronizing with a Password File
• ldap_add_group—Section 4.4.7: Adding a Group Entry
• ldap_mod_group—Section 4.4.8: Maintaining Group Membership
• ldap_del_group—Section 4.4.9: Deleting a Group Entry
• ldap_get_group—Section 4.4.10: Retrieving a Group Entry
• ldap_passwd—Section 4.4.11: Setting a User's Password in the LDAP Directory Server
• ldap_enable—Section 4.4.12: Starting the ldapcd Daemon
• ldap_disable—Section 4.4.13: Stopping the ldapcd Daemon
Table 4-2 LDAP Database Utilities
DescriptionOptionsProgram Name
Checks either ./ldapcd.conf
or /etc/ldapcd.conf against
the listing of directory servers in
the conf file. Validates all entries
related to the directory server.
Diagnostics are printed to
stdout; when the exit code is
greater than 0, a problem was
encountered.
None
ldap_check
Adds a user to the LDAP
directory server. Users can be
specified on the command line, in
a file, or from stdin (with -f -).
-b branch—Branch to add users to; should be a
full distinguished name, including the search base.
-f input-file – Specifies the name of the file
containing user records to add to the directory server.
-m – Modify existing record.
-n – Do not submit.
-v – Verbose output.
ldap_add_user
82 User Authentication