Internet Express for Tru64 UNIX Version 6.8 Administration Guide (14233)

ManualsBrandsHP ManualsSoftwareTru64 UNIX 5.1B

4.3.5 Access Control

By default, users defined in the LDAP database are able to log into every system which uses that

database in conjunction with the LDAP Module for System Authentication. If you want to limit

user access to specific systems, use the access control files /etc/ldapusers.deny and

/etc/ldapusers.allow.

A default /etc/ldapusers.deny file is provided at installation time. Included are all of the

standard system users: root, bin, daemon, and so on. If you want to deny access to a user, add

that user's name to the /etc/ldapusers.deny file.

If you want to disallow access to all but a few users, use the /etc/ldapusers.allow file. If

the /etc/ldapusers.allow file exists on a system, only users listed in that file are allowed

to log in using LDAP authentication. Note that this is true even if /etc/ldapusers.allow is

empty — its very existence invokes the stricter access control rules.

4.4 Utilities for Maintaining User Information in the LDAP Directory Server

The Internet Express software kit includes several utilities that you can use to maintain the

extended LDAP directory server shipped with Internet Express. The following utilities,

summarized in Table 4-2, are installed in the /usr/internet/ldap_tools directory:

• ldap_check—Section 4.4.1: Checking the LDAP Server Configuration

• passwd_extract—Section 4.4.2: Extracting Users from the /etc/passwd File

• ldap_add_user—Section 4.4.3: Adding a User Entry

• ldap_del_user—Section 4.4.4: Deleting a User Entry

• ldap_get_user—Section 4.4.5: Retrieving a User Entry

• ldap_sync_user—Section 4.4.6: Synchronizing with a Password File

• ldap_add_group—Section 4.4.7: Adding a Group Entry

• ldap_mod_group—Section 4.4.8: Maintaining Group Membership

• ldap_del_group—Section 4.4.9: Deleting a Group Entry

• ldap_get_group—Section 4.4.10: Retrieving a Group Entry

• ldap_passwd—Section 4.4.11: Setting a User's Password in the LDAP Directory Server

• ldap_enable—Section 4.4.12: Starting the ldapcd Daemon

• ldap_disable—Section 4.4.13: Stopping the ldapcd Daemon

Table 4-2 LDAP Database Utilities

DescriptionOptionsProgram Name

Checks either ./ldapcd.conf

or /etc/ldapcd.conf against

the listing of directory servers in

the conf file. Validates all entries

related to the directory server.

Diagnostics are printed to

stdout; when the exit code is

greater than 0, a problem was

encountered.

None

ldap_check

Adds a user to the LDAP

directory server. Users can be

specified on the command line, in

a file, or from stdin (with -f -).

-b branch—Branch to add users to; should be a

full distinguished name, including the search base.

-f input-file – Specifies the name of the file

containing user records to add to the directory server.

-m – Modify existing record.

-n – Do not submit.

-v – Verbose output.

ldap_add_user

82 User Authentication