HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

LDAPUX-Client - Howto only allow members of LDAP Group...

 
SOLVED
Go to solution
PatRoy
Regular Advisor

LDAPUX-Client - Howto only allow members of LDAP Group...

G'Day.

We want to setup our LdapUxClient running on HPUX 11.23 to connect to our LDAP server in a way that:

1) it allows all local users (/etc/passwd) to login without problems

2) *only* allows LDAP users member of the LDAP Group XYZ to login through LDAP... other LDAP users will NOT be able to login if they aren't member of the appropriate ldap group...

3) Deny the rest!

Feels like something fare to do. Must not be the first to do this kind of thing...

I know there's the /etc/opt/ldapux/pam_authz.policy config file for the ldapux-client... just not sure how I'd configure this...

Has anyone done this?

Thanks so much.

Patrick
2 REPLIES
sl19797
Occasional Visitor
Solution

Re: LDAPUX-Client - Howto only allow members of LDAP Group...

Hi Patrick,

Here's the steps --

(a)import all the entries to LDAP server.
(b) copy /etc/nsswitch.ldap
to /etc/nsswitch.conf
(c) copy /etc/pam.ldap to /etc/pam.conf,
then edit /etc/pam.conf to include
pam_authz. Please see the bottom of the man
page of pam_authz for reference.
(d) run setup of LDAP-UX client
(e) edit /etc/opt/ldapux/pam_authz.policy
All you need is the following two lines
depends on XYZ

(if XYZ is posix group)
allow:unix_local_user
allow:unix_group:XYZ

or (if XYZ is not posix group)
allow:unix_local_user
allow:ldap_group: CN=XYZ,dc=......

You can the following file as your base --
/etc/opt/ldapux/pam_authz.policy.template
You can also check man page of pam_authz on
how to configure pam_authz.policy.


NOTE-- Your task is pretty straight foward.
However, you may want to save the orignal
copy of /etc/pam.conf and also keep
additional window open so that you can
still go back to previous stage just in
case you make mistake configuring
/etc/pam.conf.

Please let me know if you need more info.
Thanks,
Stephen
PatRoy
Regular Advisor

Re: LDAPUX-Client - Howto only allow members of LDAP Group...

Thank you Stephen. That's exactly what I needed. Will give it a try and let you know.

Patrick