How to Prevent Logins with Local Passwords While UNAB is in Partial Integration

Document ID : KB000094172
Last Modified Date : 03/05/2018
Show Technical Document Details
While UNAB is running in partial integration, users can log in with both their local and Active Directory passwords. However, it may be desired to limit a user or multiple users from logging in with their local password.
To limit a particular user from logging in with their local password while in partial integration, follow the steps below.
1- Stop UNAB
2- Edit /opt/CA/uxauth/uxauth.ini and set pam_ad_password_only to yes.
3- Start UNAB
4- Map the user using the command below
     # uxconsole -map -add -scope l <local_user> <ad_user>
Additional Information:
In order for pam_ad_password_only to take effect, the users must be explicitly mapped within UNAB. This mapping tells UNAB that this local account is associated with an AD account and allows Unix user name to be different from an associated name in AD. For more information regarding the uxconsole -map command, please refer to the Implementation Guide here.