A.2 Disable Auto LUM Command

Purpose

Only the root user has full management rights in OES Remote Manager. The root user is a local superuser, and is not an eDirectory user. This allows the server to be managed even if the eDirectory authentication service is down.

Auto LUM lets eDirectory users that are enabled with Linux User Management (LUM) log in to OES Remote Manager by using their eDirectory user names and passwords. For example, you can log in as user Admin or as a user with rights equivalent to Admin rather than logging in as user root. When LUM-enabled eDirectory users access OES Remote Manager, they are allowed to view only the file systems that they have the eDirectory rights and file system rights to see.

NOTE:You can use the supervisoronly option to restrict access for LUM-enabled eDirectory users to only the Admin user and users with rights equivalent to the Admin user.

By default, the eDirectory users that are not LUM-enabled cannot access the server with OES Remote Manager. They can view their files via NCP or CIFS.

We recommend against creating local users other than the root user. However, if non-root local users access OES Remote Manager, they must log in using the user name and password created on the local system. Only limited functionality is available.They can view only those file systems that they have the local access rights to see. The nolum option does not prevent the local-only users from logging in to OES Remote Manager.

Use the nolum command to deny access to all LUM-enabled eDirectory users. By default, non-LUM-enabled eDirectory users continue to be denied access. Only the root user has full management access to OES Remote Manager.

Syntax

nolum

Option

Use

no setting

This is the default setting.

To perform all management functions, users must be logged in as user root.

To view file system information, LUM-enabled eDirectory users can log in with their eDirectory user name and password. Non-LUM-enabled eDirectory users are denied access.

To view local file system information only, non-root local users can log in with their locally created user names and passwords. We recommend against creating non-root local users.

When the nolum command is not specified, HTTPSTKD checks its PAM configuration file at load time and adds the LUM configuration to it if LUM is installed but not already in its configuration.

nolum

To perform all management functions, users must be logged in as user root.

LUM-enabled eDirectory users are denied access. Non-LUM-enabled eDirectory users are denied access.

To view local file system information only, non-root local users can log in with their locally created user names and passwords. We recommend against creating non-root local users.

IMPORTANT:Setting this option does not disable LUM if it is already part of HTTPSTKD configuration.

You can remove the auto LUM functionality by manually by editing /etc/pam.d/httpstkd and removing these lines:

auth sufficient /lib/security/pam_nam.so
account sufficient /lib/security/pam_nam.so
password sufficient /lib/security/pam_nam.so
session optional /lib/security/pam_nam.so

Restart the HTTPSTKD daemon to make the changes effective.

Example

nolum