While UNAB is running in partial integration, users can log in with both their local and Active Directory passwords. However, it may be desired to limit a user or multiple users from logging in with their local password.
To limit a particular user from logging in with their local password while in partial integration, follow the steps below.
1- Stop UNAB
2- Edit /opt/CA/uxauth/uxauth.ini and set pam_ad_password_only to yes.
3- Start UNAB
4- Map the user using the command below
# uxconsole -map -add -scope l <local_user> <ad_user>
In order for pam_ad_password_only to take effect, the users must be explicitly mapped within UNAB. This mapping tells UNAB that this local account is associated with an AD account and allows Unix user name to be different from an associated name in AD. For more information regarding the uxconsole -map command, please refer to the Implementation Guide here.