LDAP-UX Client Services B.04.00 Administrator’s Guide HP-UX 11i v1, v2 and v3 Edition 5 Manufacturing Part Number : J4269-90071 E0207 © Copyright 2007 Hewlett-Packard Company, L.P.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Contents 1. Introduction Overview of LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 How LDAP-UX Client Services Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Installing And Configuring LDAP-UX Client Services Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Summary of Installing and Configuring . . . . . . . . . . . . . . . . . . .
Contents How the LDAP Printer Configurator works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Printer Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Printer Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents ldapclientd Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ldapclientd Persistent Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling and Disabling LDAP-UX Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling and Disabling PAM Logging . . . . .
Contents 6. User Tasks To Change Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 To Change Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 7. Mozilla LDAP C SDK Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 The Mozilla LDAP C SDK File Components . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Table 1-1. Examples of Commands and Subsystems that use PAM and NSS . . . . . . 4 Table 2-1. Configuration Parameter Default Values . . . . . . . . . . . . . . . . . . . . . . . . . 32 Table 2-2. Enhanced Publickey-LDAP Software for HP-UX 11i v1 or v2 . . . . . . . . . 47 Table 2-3. Patch Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tables viii
Figures Figure 1-1. A Simplified NIS Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Figure 1-2. A Simplified LDAP-UX Client Services Environment . . . . . . . . . . . . . . . 3 Figure 1-3. A Simplified LDAP-UX Client Services Environment . . . . . . . . . . . . . . . 5 Figure 1-4. The Local Start-up File and the Configuration Profile . . . . . . . . . . . . . . . 7 Figure 2-1. Example Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures x
Preface: About This Document The latest version of this document can be found on line at: http://www.docs.hp.com This document describes how to install and configure LDAP-UX Client Services product on HP-UX platforms. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
• Support NIS+ migration scripts that can be used to migrate from an NIS+ domain into an LDAP directory server. • Support Mozilla LDAP C SDK 5.14.1 which contains a set of LDAP Application Programming Interfaces (API) to allow you to build LDAP-enabled clients. Publishing History Table 1 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publicatio n Date J4269-90016 11.0, 11i B.03.00 September 2002 J4269-90030 11.
Chapter 2 Installing And Configuring LDAP-UX Client Services Use this chapter to learn how to install, configure, and use the LDAP-UX Client Services software. Chapter 3 LDAP Printer Configurator Support Use this chapter to learn how to set up, configure, and use the printer configurator. Chapter 4 Administering LDAP-UX Client Services Use this chapter to understand how to administer your LDAP-UX Clients to keep them running smoothly and expand them as your computing environment expands.
Typographical Conventions This document uses the following conventions. Book Title The title of a book. On the web and on the Instant Information CD, it may be a hot link to the book itself. Emphasis Text that is emphasized. Bold Text that is strongly emphasized. Bold The defined use of an important word or phrase. ComputerOut Text displayed by the computer. UserInput Commands and other text that you type. Command A command name or qualified command phrase.
1 Introduction LDAP-UX Client Services simplifies HP-UX system administration by consolidating account and configuration information into a central LDAP directory. This LDAP directory could reside on an HP-UX system such as Netscape Directory Server 6.x, or the account information could be integrated in Windows 2000/2003 Active Directory.
Introduction Overview of LDAP-UX Client Services on the network. With NIS, account and configuration information resides on NIS servers. NIS client systems retrieve this shared configuration information across the network from NIS servers, as shown below: Figure 1-1 A Simplified NIS Environment NIS master server Map transfers NIS slave server NIS slave server NIS Requests NIS client NIS client NIS client LDAP-UX Client Services improves on this configuration information sharing.
Introduction Overview of LDAP-UX Client Services directory, as shown below. LDAP adds greater scalability, interoperability with other applications and platforms, and less network traffic from replica updates.
Introduction Overview of LDAP-UX Client Services passwords may not only be stored in any syntax but also means that passwords may remain hidden from view (preventing a decryption attack on the hashed passwords). Because passwords may be stored in any syntax, HP-UX will be able to share passwords with other LDAP-enabled applications. With LDAP-UX Client Services B.03.20 or later versions, the client daemon, ldapclientd, becomes the center of the product.
Introduction Overview of LDAP-UX Client Services Table 1-1 Examples of Commands and Subsystems that use PAM and NSS (Continued) Commands that use NSS Commands that use PAM and NSS loginsb nslookup a. nsquery(1) is a contributed tool included with the ONC/NFS product. b. These commands enumerate the entire passwd or group database, which may reduce network and directory server performance for large databases.
Introduction Overview of LDAP-UX Client Services After you install and configure an LDAP directory and migrate your name service data into it, HP-UX client systems locate the directory from a “start-up file.” The start-up file tells the client system how to download a “configuration profile” from the LDAP directory. The configuration profile is a directory entry containing configuration information common to many clients.
Introduction Overview of LDAP-UX Client Services Figure 1-4 The Local Start-up File and the Configuration Profile LDAP Directory Configuration profile The start-up file points to the configuration profile in the directory. Start-up file The shared configuration profile is stored in the directory and downloaded to all LDAP-UX clients. Configuration profile LDAP-UX client The following chapter describes in detail how to install, configure, and verify LDAP-UX Client Services.
Introduction Overview of LDAP-UX Client Services 8 Chapter 1
2 Installing And Configuring LDAP-UX Client Services This chapter describes the decisions you need to make and the steps to install Netscape and configure LDAP-UX Client Services. This chapter contains the following sections: • • • • • • • • • • • • • • “Before You Begin” on page 9. “Summary of Installing and Configuring” on page 10. “Plan Your Installation” on page 12. “Install LDAP-UX Client Services on a Client” on page 20. “Configure Your Directory” on page 21.
Installing And Configuring LDAP-UX Client Services Summary of Installing and Configuring • See the white paper Preparing Your Directory for HP-UX Integration at http://docs.hp.com/hpux/internet for advice on how to set up and configure your directory to work with HP-UX. • Most examples here use the Netscape Directory Server for HP-UX version 6.x and assume you have some knowledge of this directory and its tools, such as the Directory Console and ldapsearch.
Installing And Configuring LDAP-UX Client Services Summary of Installing and Configuring • Run the setup program to configure LDAP-UX Client Services on a client system. Setup does the following for you: — Extends your Netscape directory schema with the configuration profile schema, if not already done. — Imports the LP printer schema into your LDAP directory server if you choose to start the LDAP printer configurator.
Installing And Configuring LDAP-UX Client Services Plan Your Installation Plan Your Installation Before beginning your installation, you should plan how you will set up and verify your LDAP directory and your LDAP-UX Client Services environment before putting them into production. Consider the following questions. Record your decisions and other information you’ll need later in Appendix A, “Configuration Worksheet,” on page 183.
Installing And Configuring LDAP-UX Client Services Plan Your Installation NOTE You should keep a small subset of users in /etc/passwd, particularly the root login. This allows administrative users to log in during installation and testing. Also, if the directory is unavailable you can still log in to the system. • Where in your directory will you put your name service data? Your directory architect needs to decide where in your directory to place your name service information.
Installing And Configuring LDAP-UX Client Services Plan Your Installation If you merge your data into an existing directory, for example to share user names and passwords with other applications, the migration scripts can create LDIF files of your user data, but you will have to write your own scripts or use other tools to merge the data into your directory. You can add the posixAccount object class to your users already in the directory to leverage your existing directory data.
Installing And Configuring LDAP-UX Client Services Plan Your Installation If you are familiar with NIS, one example is to create a separate profile for each NIS domain. • Where in your directory will you put your profile? The profile contains directory access information. It specifies how and where clients can find user and group data in the directory. You can put the profile anywhere you want as long as the client systems can read it.
Installing And Configuring LDAP-UX Client Services Plan Your Installation • How will you increase the security level of the product to prevent an unwanted user from logging in to the system via LDAP? What is the procedure to set up increased login security? The default is to allow all users stored in the LDAP directory to login. To disallow specific users to login to a local system, you will have to configure the disable_uid_range flag in /etc/opt/ldapux/ldapux_client.conf file.
Installing And Configuring LDAP-UX Client Services Plan Your Installation not in /etc/passwd. If you have a few users in /etc/passwd, in particular the root user, and if the directory is unavailable, you can still log in to the client as a user in /etc/passwd. • Do you want to use SSL for secure communication between LDAP clients and Netscape Directory servers? LDAP-UX Client Services B.03.
Installing And Configuring LDAP-UX Client Services Plan Your Installation IMPORTANT If you attempt to use this new feature, in the ldapclientd.conf file, the start configuration parameter of the printer services section must be set to “yes”. If the start option is enabled, the printer configurator will start when ldapclientd is initialized. By default, the start parameter is enabled.
Installing And Configuring LDAP-UX Client Services Plan Your Installation See /etc/nsswitch.ldap for an example nsswitch.conf file using files and ldap. See switch(4) and “Configuring the Name Service Switch” in Installing and Administering NFS Services at http://docs.hp.com for more information. It is recommended you use files first, followed by LDAP for passwd, group and other supported name services.
Installing And Configuring LDAP-UX Client Services Install LDAP-UX Client Services on a Client For detailed information on this feature and how to configure the /etc/opt/ldapux/pam_authz.policy file, see “PAM_AUTHZ Login Authorization Enhancement” on page 109 or the pam_authz(5) man page. • How will you communicate with your user community about the change to LDAP? For the most part, your user community should be unaffected by the directory. Most HP-UX commands will work as always.
Installing And Configuring LDAP-UX Client Services Configure Your Directory Configure Your Directory This section describes how to configure your directory to work with LDAP-UX Client Services. Examples are given for Netscape Directory Server for HP-UX version 6.x. See the LDAP-UX Integration B.04.00 Release Notes for information on supported directories. If you have a different directory, see the documentation for your directory for details on how to configure it.
Installing And Configuring LDAP-UX Client Services Configure Your Directory With Netscape Directory Server for HP-UX, you can use the Netscape Console or ldapmodify to set up access control instructions (ACI) so ordinary users cannot change these attributes in their passwd entry in the directory. The following access control instruction is by default at the top of the directory tree for a 6.x Netscape directory.
Installing And Configuring LDAP-UX Client Services Configure Your Directory Step 4. Grant read access of all attributes of the posix schema. Ensure all users have read access to the posix attributes. When using PAM_LDAP as your authentication method, users do not need read access to the userPassword attribute since the authentication is handled by the directory itself. Therefore, for better security, you can remove read access to userPassword from ordinary users. Step 5.
Installing And Configuring LDAP-UX Client Services Configure Your Directory ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self")) You can modify the default ACI and give appropriate access rights to change your own common attributes. Step 9. Index important attributes for better performance of Netscape Directory Server.
Installing And Configuring LDAP-UX Client Services Import Name Service Data into Your Directory The Look-through limit specifies the maximum number of directory entries to examine before aborting the search operation. The Size limit determines the maximum number of entries to return to any query before aborting. The All-IDs-Threshold specifies the number of entries that can be maintained for an index key.
Installing And Configuring LDAP-UX Client Services Import Name Service Data into Your Directory • If you are using NIS, the migration scripts take your NIS maps and generate LDIF files. These scripts can then import the LDIF files into your directory, creating new entries in the directory. This only works if you are starting with an empty directory or creating an entirely new subtree in your directory for your data.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services Configure the LDAP-UX Client Services Below is a summary of how to configure LDAP-UX Client Services with Netscape Directory Server 6.x. For a default configuration, see “Quick Configuration” on page 29. For a custom configuration, see “Custom Configuration” on page 34 for more information. NOTE The setup program has only been certified with Netscape Directory Server 6.x, and Windows 2000/2003 Active Directory.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services — Updates the local client’s start-up file (/etc/opt/ldapux/ldapux_client.conf) with your directory and configuration profile location — Downloads the configuration profile from the directory to your local client system — Configures a proxy user for the client, if needed — Starts the Client Daemon if you choose to start it IMPORTANT Starting with LDAP-UX Client Services B.03.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services After you configure your directory and the first client system, configuring additional client systems is simpler. Refer to “Configure Subsequent Client Systems” on page 72 for more information. Quick Configuration You can quickly configure a Netscape directory and the first client by letting most of the configuration parameters take default values as follows.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services printer configurations on your client system. A new printer schema, which is based on IETF, is required to start the services. Step 7. If the publickey schema has already extended, setup skips this step. Otherwise, enter “yes” to extend the publickey schema if you choose to store the public keys of users and hosts in the LDAP directory.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services schema. For detailed information on how to remove the obsolete automount schema, see “Removing The Obsolete Automount Schema” on page 59. If you reply no, setup skips to step 9 and the new automount schema will not be imported. Otherwise, you will be asked to enter the DN (Distinguished Name) and password of the directory user who can import the schema into the LDAP directory. Step 10.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services Press the return key if you choose to accept SIMPLE authentication method, type 2 if you choose SASL DIGEST-MD5 authentication method for the following prompt: Authentication method: [1]: Step 14. Next enter the host name and port number of the directory where your name service data is, from Appendix A, “Configuration Worksheet,” on page 183.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services To change any of these default values, refer to “Custom Configuration” on page 34. Step 17. After entering all the configuration information, setup extends the schema, creates a new profile, and configures the client to use the directory. Step 18. Configure the Pluggable Authentication Module (PAM). Save a copy of the file /etc/pam.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services For example: disable_uid_range=0-100,300-450,89 Note: • • • White spaces between numbers are ignored. Only one line of the list is accepted, however, the line can be wrapped. The maximum number of ranges is 20. Step 22. “Verify the LDAP-UX Client Services” on page 68. Step 23. Configure subsequent clients by running setup on those clients and specifying an existing configuration profile.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services Step 3. Specify the host name and optional port number where your directory is running. If you choose to not use SSL, the default directory port number is 389. If you choose to use SSL, the default directory port number is 636. For high availability, each LDAP-UX client can look for user and group information in up to three different directory servers.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services 1.Password 6.Protocols 2.Shadow passwd 7.Networks 3.Group 8.Hosts 4.PAM (Pluggable Authentication Module) 9.Services 5.RPC 10.Netgroup 11.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services 1.automountMapName ->[automountMapname] 2.automountKey -> [automountKey] 3.automountInformation -> [automountInformation] Specify the attribute you want to map. [0]: You type 1 for the following question and press the return key: Specify the attribute you want to map. [0]:1 4.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services If you want to specify the attribute to map to the automountInformation attribute , then type 3 for the following question and press the return key: Specify the attribute you want to map. [0]:3 8. Next, type the attribute nisMapEntry you want to map to the automountInformation attribute and press the return key: automountInformation -> nisMapEntry 9.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services 3. For the question: Do you want to remap any of the standard RFC 2307 attributes? [No]: Y Answer “Y” instead of the default “N” 4. For the question: Specify the service you want to map? [0]: 3 Answer “3” 5. For the question: Specify the attribute you want to map? [0]: 3 Answer “3” 6. Type the attributes you want to map to the member attribute: [memberuid]: member NOTE LDAP-UX supports DN-based (X.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Services Enter whether or not you want to create custom search descriptors for any of the supported services: passwd, shadow passwd, group, PAM, netgroup, rpc, protocols, network, hosts and services. Select the service you want to create a custom search descriptor for. A custom search descriptor consists of three parts: a search base DN, scope, and filter.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Serivces with SSL Support If you want to create the nisObject search filter for the automount service, then type (objectclass=nisObject) for the following prompt and press the Return key; otherwise press the return key to accept the default search filter, objectclass=automount: Search filter [(objectclass=automount)]: (objectclass=nisObject) Step 12. You will be asked whether or not you want to start the client daemon.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Serivces with SSL Support Configuring the LDAP-UX Client to Use SSL You can choose to enable SSL with LDAP-UX when you run the setup program. If you attempt to use SSL, you must install Certificate Authority (CA) certificate on your LDAP-UX Client and configure your LDAP directory server to support SSL before you run the setup program. NOTE If you already have the certificate database files, cet7 or cert8.db and key3.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Serivces with SSL Support Step 6. Check the “Trust the CA to identify web sites”, “Trust the CA to identify e-mail users”, and “Trust the CA to identify software developers” checkboxes in the Downloading Certificate window screen. Then click OK button. Step 7. The Netscape Directory CA certificate will be downloaded to the following two files on your LDAP-UX Client: /.mozilla/default/*.slt/cert8.db /.morilla/default/*.slt/key3.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Serivces with SSL Support Steps to create database files using the certutil utility The following steps show you an example on how to create the security database files, cert8.db and key3.db on your client system using the certutil utility: Step 1. Retrieve the Base64-Encoded certificate from the certificate server and save it.
Installing And Configuring LDAP-UX Client Services Configure the LDAP-UX Client Serivces with SSL Support NOTE The -t "C,," represents the minimum trust attributes that may be assigned to the CA certificate for LDAP-UX to successfully use SSL to connect to the LDAP directory server. If you have other applications that use the CA certificate for other functions, then you may wish to assign additional trust flags. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support Configure LDAP-UX Client Services with Publickey Support LDAP-UX Client Services B.04.00 or later version supports discovery and management of publickeys in an LDAP directory. Both public and secret keys, used by the Secure RPC API can be stored in user and host entries in an LDAP directory server, using the nisKeyObject objectclass.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support Navigate to NFS Services. Table 2-2 Enhanced Publickey-LDAP Software for HP-UX 11i v1 or v2 Operating System Supported Software Bundle Version Planned Release Date HP-UX 11i v1 Enhkey B.11.11.01 June, 2006 HP-UX 11i v2 Enhkey B.11.23.01 October, 2006 You can download the Enhanced Publickey-LDAP software bundle from the following Software Depot web site: • Go to http://www.hp.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support — swinstall -x autoreboot=true -s /tmp/ENHKEY_B.11.11.01_HP-UX_B.11.11_64_32.depot for HP-UX 11i v1 — swinstall -x autoreboot=true -x reinstall=false -s /tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.depot for HP-UX 11i v2 Extending the Publickey Schema into Your Directory The publickey schema is not loaded in the Netscape Directory Server. If you are installing LDAP-UX B.04.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support Password for an Admin Proxy User In order to protect user’s secret keys in the LDAP directory, the secret keys are encrypted using the user’s password. This process is used in NIS as well as NIS+ environments. The host’s secret key must also be encrypted. Since the host itself does not have its own password, root’s password is used to encrypt the host’s secret key.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support aci:(targetattr =”objectlass||nispublickey||nissecretkey”) (version 3.0;acl “Allow keyadmin to change key pairs”; allow (read,write,compare) userdn=“ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com”;) Setting ACI for a User The default ACI of Netscape Directory Server 6.11 allows a user to change his own nispublickey and nissecretkey attributes. For Netscape Directory Server 6.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support Configuring serviceAuthenticationMethod is optional. If you do not configure serviceAuthenticationMethod, LDAP-UX binds the Admin Proxy user to the LDAP directory using the authentication method specified for the proxy user.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support After you enter the prompts for "Directory login:" and "password:", ldapentry will bring up an editor window with the profile entry. You can add the serviceAuthenticationMethod attribute. The value of the serviceAuthenticatioMethod entry depends on the authentication method you configure.
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support ./get_profile_entry -s nss Step 5. Run the /opt/ldapux/config/display_profile_cache tool to check the configuration of the serviceAuthenticationMethod attribute: .
Installing And Configuring LDAP-UX Client Services Configure LDAP-UX Client Services with Publickey Support passwd: group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services: 54 files ldap files ldap dns files ldap files ldap files ldap files ldap ldap [NOTFOUND=return] files files ldap files ldap files files ldap Chapter 2
Installing And Configuring LDAP-UX Client Services AutoFS Support AutoFS Support AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them. If an automounted file system has been idle for a period of time, AutoFS unmounts it. AutoFS uses name services such as files, NIS or NIS+ to store and manage AutoFS maps. LDAP-UX Client Services B.04.00 supports the automount service under the AutoFS subsystem.
Installing And Configuring LDAP-UX Client Services AutoFS Support The nisObject automount schema defines nisMap and nisObject structures to represent the AutoFS maps and their entries in the LDAP directory. There are some limitations that you need to be aware of when using the nisObject automount schema. • obsolete automount schema This is the schema that is shipped with Netscape Directory Server version 6.x. The LDAP-UX Client Services supports the new automount schema.
Installing And Configuring LDAP-UX Client Services AutoFS Support MAY description X-ORIGIN ’user defined’ ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME ’automount’ DESC ’Automount information’ SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description X-ORIGIN ’user defined’ ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME ’automountMapName’ DESC ’automount Map Name’ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN ’user defined’ ) attributeTypes: ( 1.3.6.1.1.1.
Installing And Configuring LDAP-UX Client Services AutoFS Support dn:automountKey=/mnt_direct/test1,\ automountMapname=auto_direct, dc=nishpind objectClass: top objectClass: automount automountInformation:hostA:/tmp automountKey: /mnt_direct/test1 dn:automountKey=/mnt_direct/test2,\ automountMapname=auto_direct, dc=nishpind objectClass: top objectClass: automount automountInformation:hostB:/tmp automountKey:/mnt_direct/test2 The nisObject Automount Schema The nisObject automount schema defines nisMap and n
Installing And Configuring LDAP-UX Client Services AutoFS Support Limitations The nisObject automount schema contains three attributes, cn, nisMapEntry and nisMapName. cn is an attribute that ignores case-matching. Consider the following example: # an indirect map named auto_test test1 server1:/source TEST1 server2:/source In the above example, because the cn attribute is case-insensitive, the LDAP considers “cn=TEST1, nisMapName=auto_test” to be a redefinition of “cn=test1, nisMapName=auto_test”.
Installing And Configuring LDAP-UX Client Services AutoFS Support Step 3. Delete the following two entries in the /var/opt/netscape/servers/slapd-/ \ config/schema/10rfc2307.ldif file. These two entries contain the ‘automountInformation’ attributetype and the ‘automount’ objectclass. The data in these two entries define the obsolete automount schema. The complete two entries are: • attributeTypes:( 1.3.6.1.1.1.1.25 NAME ’automountInformation’ DESC ’Standard LDAP attribute type’ SYNTAX 1.3.
Installing And Configuring LDAP-UX Client Services AutoFS Support Table 2-3 shows the attribute mappings: Table 2-4 Attribute Mappings New Automount Attribute nisObject Automount Attribute automountMapname nisMapname automountKey cn automountInformation nisMapEntry • Change the automount search filter for the automount service to the nisObject search filter. LDAP-UX Client Services uses the automount search filter for the automount service as a default.
Installing And Configuring LDAP-UX Client Services AutoFS Support passwd: group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services: files ldap files ldap dns files ldap files ldap files ldap files ldap ldap [NOTFOUND=return] files files ldap files ldap files files ldap AutoFS Migration Scripts This section describes the migration scripts which can be used to migrate your AutoFS maps from files, NIS servers or NIS+ servers to LDIF files.
Installing And Configuring LDAP-UX Client Services AutoFS Support DOM_ENV This only applies to the migrate_nisp_autofs.pl script. This variable defines the fully qualified name of the NIS+ domain where you want to migrate your data from. NIS_DOMAINNAME This only applies to the migrate_nis_automount.pl script. This variable specifies the fully qualified name of the NIS domain where you want to migrate your data from. This variable is optional.
Installing And Configuring LDAP-UX Client Services AutoFS Support The migrate_automount.pl Script This script, found in /opt/ldapux/migrate, migrates the AutoFS maps from files to LDIF. Syntax scriptname inputfile outputfile Examples The following commands migrate the AutoFS map /etc/auto_direct to LDIF and place the results in the /tmp/auto_direct.ldif file: export LDAP_BASEDN=”dc=nishpind” migrate_automount.pl /etc/auto_direct /tmp/auto_direct.
Installing And Configuring LDAP-UX Client Services AutoFS Support You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/auto_direct.ldif that you just created above into the LDAP directory. For example, the following command imports the /tmp/auto_direct.ldif file to the LDAP base DN “dc=nishpind” in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D “cn=Directory Manager” -w -f /tmp/auto_direct.
Installing And Configuring LDAP-UX Client Services AutoFS Support The migrate_nis_automount.pl Script This script, found in /opt/ldapux/migrate, migrates the AutoFS maps from the NIS server to LDIF. Syntax scriptname inputfile outputfile Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the /tmp/auto_indirect.ldif file: export LDAP_BASEDN=”dc=nisserv1” export NIS_DOMAINNAME=”cup.hp.com” migrate_nis_automount.pl /etc/auto_indirect /tmp/auto_indirect.
Installing And Configuring LDAP-UX Client Services AutoFS Support You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/auto_indirect.ldif that you just created above into the LDAP directory. For example, the following command imports the /tmp/auto_indirect.ldif file to the LDAP base DN “dc=nisserv1” in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D “cn=Directory Manager” -w -f /tmp/auto_indirect.ldif The migrate_nisp_autofs.
Installing And Configuring LDAP-UX Client Services Verify the LDAP-UX Client Services dn:automountKey=lab2, \ automountMapname=auto_indirect, dc=nishpbnd objectClass: top objectClass: automount automountInformation:hostB:/tmp automountKey:lab2 You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file nisp_automap.ldif that you just created above into the LDAP directory. For example, the following command imports the nisp_automap.
Installing And Configuring LDAP-UX Client Services Verify the LDAP-UX Client Services Using "ldap" for the passwd policy. Searching ldap for jbloggs User name: jbloggs user Id: 10000 Group Id: 2000 Gecos: Home Directory: /home/jbloggs Shell: /bin/sh Switch configuration: Terminates Search This tests the Name Service Switch configuration in /etc/nsswitch.conf. If you do not see output like that above, check /etc/nsswitch.conf for proper configuration. Step 2.
Installing And Configuring LDAP-UX Client Services Verify the LDAP-UX Client Services pw_comment........() pw_gecos..........(gecos data in files) pw_dir............(/home/iuser1) pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) Refer to “beq Search Tool” in Chapter 4 for command syntax and examples. Step 4. Log in to the client system from another system using rlogin or telnet. Log in as a user in the directory and as a user in /etc/passwd to make sure both work. Step 5.
Installing And Configuring LDAP-UX Client Services Verify the LDAP-UX Client Services Step 7. Use the ls(1) or ll(1) command to examine files belonging to a user whose account information is in the directory. Make sure the owner and group of each file are accurate: ll /tmp ls -l If any owner or group shows up as a number instead of a user or group name, the name service switch is not functioning properly. Check the file /etc/nsswitch.conf, your directory, and your profile.
Installing And Configuring LDAP-UX Client Services Configure Subsequent Client Systems : group: files ldap : : 3. Verify: #grget -n xgroup1 xgroup1:*:999: xuser2 If xuser2 shows up as a member of xgroup1, then your setup is correct. Configure Subsequent Client Systems Once you have configured your directory and one client system, you can configure subsequent client systems using the following steps. Modify any of these files as needed. Step 1.
Installing And Configuring LDAP-UX Client Services Configure Subsequent Client Systems Alternatively you could interactively run the setup program to download the profile from the directory and respond “no” when asked if you want to change the current configuration: cd /opt/ldapux/config ./setup Step 4. If you are using a proxy user, configure the proxy user by calling ldap_proxy_config as follows: cd /opt/ldapux/config ./ldap_proxy_config Step 5. “Verify the LDAP-UX Client Services” on page 68.
Installing And Configuring LDAP-UX Client Services Download the Profile Periodically Download the Profile Periodically Setup allows you to define a time interval after which the current profile is being automatically refreshed. The start time for this periodic refresh is defined by the time the setup program was run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific time of day when the profile should be downloaded (refreshed).
Installing And Configuring LDAP-UX Client Services Download the Profile Periodically crontab crontab.
Installing And Configuring LDAP-UX Client Services Use r-command for PAM_LDAP Use r-command for PAM_LDAP An enhancement has been implemented to the LDAP-UX Client Services B.03.20, so that r-commands can work with LDAP account users whose password is hidden, or not in clear text or crypt syntax. If you want to use this new fearture, use the following steps: 1. Uncomment out the following line in the /etc/opt/ldapux/ldapux_client.conf file: #password_as = “x” 2. On the HP-UX 11.
Installing And Configuring LDAP-UX Client Services Use r-command for PAM_LDAP dtlogin dtlogin dtlogin dtaction dtaction dtaction ftp ftp ftp rcomds rcomds rcomds sshd sshd sshd OTHER OTHER CAUTION Chapter 2 account account account account account account account account account account account account account account account account account required sufficient required required sufficient required required sufficient required required sufficient required required sufficient required sufficient required
Installing And Configuring LDAP-UX Client Services Use r-command for PAM_LDAP 78 Chapter 2
3 LDAP Printer Configurator Support This chapter contains information describing how LDAP-UX supports the printer configurator, how to set up the printer schema, and how to configure the printer configurator to control its behaviors. This chapter contains the following sections: • • • • • • Chapter 3 “Overview” on page 80. “How the LDAP Printer Configurator works” on page 82. “Printer Configuration Parameters” on page 85. “Printer Schema” on page 86. “Managing the LP printer configuration” on page 88.
LDAP Printer Configurator Support Overview Overview Management of network printing is complex, and printers themselves are more complicated. Instead of having printer configuration and information scattered over client systems and printer servers, they can be stored and managed from a single repository. LDAP is suited to build a backend printer configuration database.
LDAP Printer Configurator Support Overview • NOTE Chapter 3 A local printer which is a printer that is directly connected to your system. The LDAP printer configurator only supports the HP LP spooler system, remote printers, network printers and printerservers that support Line Printer Daemon (LPD) protocol. It does not support local printers.
LDAP Printer Configurator Support How the LDAP Printer Configurator works How the LDAP Printer Configurator works The Printer Configurator is a service daemon which provides the following functions: • Periodically searches the existing printer entries stored in LDAP Directory Server • Compares the search result with the master printer record file on each scheduled ldapsearch • Adds the print configuration to client system for each new printer • Deletes the printer from the client system for each rem
LDAP Printer Configurator Support How the LDAP Printer Configurator works NOTE Chapter 3 The system administrator manually adds or removes printers to the HP-UX system. The LDAP Printer Configurator will only add or remove printers that it has discovered in the LDAP directory according to the search filter defined for the printer.
LDAP Printer Configurator Support How the LDAP Printer Configurator works Figure 3-1 84 Printer Configurator Architecture Chapter 3
LDAP Printer Configurator Support Printer Configuration Parameters Printer Configuration Parameters The LDAP-UX Client Services provides four printer configuration parameters, start, search_interval , max_printers and lpadmin_option available for you to customize and control the behaviors of the printer configurator. These parameters are defined in the ldapclientd.conf file. For detailed information on these new parameters, refer to Chapter 4, “Administering LDAP-UX Client Services,” on page 93.
LDAP Printer Configurator Support Printer Schema Printer Schema The new printer schema, IETF, is used to create the printer objects that are relevant to the printer configurator services. The draft printer schema can be obtained from IETF web site at http://www.ietf.org. For the detailed structure information of the new printer schema, see Appendix C. You must import the new printer schema into the LDAP Directory Server to create new printer objects.
LDAP Printer Configurator Support Printer Schema The printer-name attribute provides information of local printer name, the printer-uri attribute identifies the remote hostname and the remote printer name information. URI stands for uniform resources identifier. The syntax of URI is based on RFC 2396. The following shows an example of the printer-uri attribute: printer-uri: lpd://hostA.hp.
LDAP Printer Configurator Support Managing the LP printer configuration Managing the LP printer configuration The LDAP-UX Client Services provide the printer configurator integration; the product daemon automatically updates the remote LP printer configuration of a client system based on the available printer objects in the Directory Server.
LDAP Printer Configurator Support Managing the LP printer configuration Since the local printer name, remote hostname, remote printer name, and the printing protocol information are still the same, the LDAP Printer Configurator will not change the current remote LP printer configuration for laser2. Example 3: The system hostA.hp.com is retired. The Laserjet 2004 printer is now connected to system hostC and set up as a local LP printer lj2004.
LDAP Printer Configurator Support Managing the LP printer configuration The administrator created a new printer object in the directory server as below: dn: printer-name=laser8,ou=printers,dc=hp,dc=com printer-name: laser8 printer-uri: lpd://hostD.hp.com/lj81003 In this example, the printer configurator adds a new remote LP laser8 printer configuration to the client system.
LDAP Printer Configurator Support Limitations of Printer Configurator Limitations of Printer Configurator Chapter 3 • The new LDAP printer schema based on IETF is imported into the LDAP Directory Server to create the printer objects. • LDAP-UX Client Services only suports the HP-UX LP spooler system, network printers, and printerservers that support Line Printer Daemon (LPD) protocol. The printer configurator does not support local printers.
LDAP Printer Configurator Support Limitations of Printer Configurator 92 Chapter 3
4 Administering LDAP-UX Client Services This chapter describes how to keep your clients running smoothly and expand your computing environment.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon Using The LDAP-UX Client Daemon This section describes the following: • the steps required to activate the client daemon • an explanation of the administration tool ldapclientd, along with the configuration file ldapclientd.conf Overview The LDAP-UX client daemon enables LDAP-UX clients t o work with LDAP directory servers.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon IMPORTANT Starting with LDAP-UX Client Services B.03.20 or later, the client daemon, /opt/ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or earlier, running the client daemon, ldapclientd, is optional. ldapclientd Starting the client Use the following syntax to start the client daemon.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon For more information on the client daemon performance, see “Client Daemon Performance” on page 126. Command options Please refer to the ldapclientd man page(s) for option information. Diagnostics By default, errors are logged into syslog if the system log is enabled in the LDAP-UX client startup configuration file /etc/opt/ldapux/ldapux_client.conf.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon Downloading profiles takes time, depending on the server’s response time and the number of profiles listed in the LDAP-UX startup file /etc/opt/ldapux/ldapux_client.conf. ldapclientd.conf The file ldapclientd.conf is the configuration file for /opt/ldapux/bin/ldapclientd, the LDAP Client Daemon. Refer to the previous section for more information about the Client Daemon.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon - automount - automountMap - printers setting This will be different for each section. value Depending on the setting, this can be . Section details Within a section, the following syntax applies: [StartOnBoot] Determines if ldapclientd starts automatically when the system boots.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon cache_cleanup_time=<1-300> The interval, in seconds, between the times when ldapclientd identifies and cleans up stale cache entries. The default value is 10. update_ldapux_conf_time=<10-2147483647> This determines how often, in seconds, ldapclientd re-reads the /etc/opt/ldapux/ldapux_client.conf client configuration file to download new domain profiles. The default value is 600 (10 minutes).
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. There is no [general] default value for this setting. Each cache section has its own default value. [passwd] Cache settings for the passwd cache (which caches name, uid and shadow information). setting=value enable= ldapclientd only caches entries for this section, when it is enabled.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 240 (4 minutes). [netgroup] Cache settings for the netgroup cache. setting=value enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon setting=value enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. Since new domains are rarely added to or removed from the forest, the cache is typically valid for a long time.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon A negative cache is used to store the automount entry data about non-existent information. For example, if a user requests information about an automount entry that does not exist, the LDAP directory server will not return an entry, all the negative result will be stored in the negative cache. setting=value enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled.
Administering LDAP-UX Client Services Using The LDAP-UX Client Daemon printer configurator will start when ldapclientd is initialized. By default, the start parameter is enabled. search_interval=<1800-1209600> Defines the interval, in seconds, before the printer configurator performs a printer search in the directory server. The default value is 86400 (in seconds). The minimum value is 1800 (30 minutes) and the maximum value is 1209600 (2 weeks).
Administering LDAP-UX Client Services Integrating with Trusted Mode Integrating with Trusted Mode This section describes features and limitations, PAM configuration changes and configuration parameter for integrating LDAP-UX with Trusted Mode. Overview LDAP-UX Client Services B.03.30 or later supports coexistence with Trusted Mode.
Administering LDAP-UX Client Services Integrating with Trusted Mode system for the first time, auditing for that account is immediately enabled or disabled. This flag is defined as the initial_ts_auditing parameter in the /etc/opt/ldapux/ldapux_client.conf file. • You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode attributes for LDAP-based accounts are not stored in the LDAP directory server.
Administering LDAP-UX Client Services Integrating with Trusted Mode expiration, password syntax checking, and account expiration. No policies of the HP-UX Trusted Mode product apply to accounts stored in the LDAP server.
Administering LDAP-UX Client Services Integrating with Trusted Mode • Except for the audit flag, you cannot modify other Trusted Mode properties/policies for LDAP-based accounts. For example, attempting to lock an LDAP-based account by modifying the Trusted Mode field for that user does not prevent that account from logging in to the host. Instead, you must disable the account on the LDAP server itself. No runtime warning will be given that the local locking of the account has no effect.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement PAM_AUTHZ Login Authorization Enhancement The PAM_AUTHZ service module provides functionality that allows the administrator to control who can login to the system based on netgroup information found in the /etc/passwd and /etc/netgroup files. PAM_AUTHZ has been created to provide access control similar to the netgroup filtering feature that is performed by NIS. Starting LDAP-UX Client Services B.04.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement How Login Authorization Works The system administrator can define the access rules and store them in the policy file, /etc/opt/ldapux/pam_authz.policy. PAM_AUTHZ uses these access rules defined in the policy file to control the login authorization.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement 2. PAM_AUTHZ service module receives an authentication request from PAM framework. It processes all the access rules stored in the /etc/opt/ldapux/pam_authz.policy file. 3. If a rule indicates that the required information is stored in a LDAP server, PAM_AUTHZ constructs a request message and sends to the LDAP client daemon, ldapclientd. The LDAP client daemon performs the actual ldap query and returns the result to PAM_AUTHZ.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement Constructing an Access Rule in pam_authz.policy In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule consists of three fields as follows: :: All fields are mandatory. If any field is missing or contains the incorrect syntax, the access rule is considered to be invalid and is ignored by PAM_AUTHZ.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement Table 4-1 Field Syntax in an Access Rule (Continued) deny, allow unix_group
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement Table 4-1 Field Syntax in an Access Rule (Continued) deny, allow other
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement unix_user This option indicates that an administrator wants to control the login access by examining a user’s login name with a list of predefined users. If the login name matches one of the user names in the list, the authorization statement is evaluated to be true. The final access right is determined by evaluating the field.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement evaluated to be true. PAM_AUTH obtains the netgroup information by querying the name services specified in nsswitch.conf. For example: allow:netgroup:netgroup1,netgroup2,netgroup3 A user tries to login and he belongs to netgroup1. The above access rule is evaluated to be true. The user is granted login access ldap_group This option specifies that an access rule is based on the non-POSIXGroup membership.
Administering LDAP-UX Client Services PAM_AUTHZ Login Authorization Enhancement In the above example, if a user reports to paulw and the user’s job is related to marketing, then the user is granted the login access. The rule structure is very flexible about how to define access for certain groups of users. other PAM_AUTHZ ignores any access rules defined in the
Administering LDAP-UX Client Services Adding a Directory Replica The following describes situations where PAM_AUTHZ skips an access rule and does not process it: • An access rule contains the wrong syntax. • PAM_AUTHZ processes the ldap_filter and ldap_gorup types of access rules by querying the LDAP directory server through ldapclientd daemon. If LDAP-UX Client Services is not running, PAM_AUTHZ skips all the ldap_filter and ldap_group types of rules. An Example of /etc/opt/ldapux/pam_authz.
Administering LDAP-UX Client Services Displaying the Proxy User’s DN environment. LDAP-UX can take advantage of replica directory servers and the alternates if one of them fails. Follow these steps to inform LDAP-UX about multiple directory servers: Step 1. Create and configure your LDAP directory replica. For Netscape Directory Server for HP-UX, see the Netscape Directory Server Deployment Guide. Step 2.
Administering LDAP-UX Client Services Verifying the Proxy User Verifying the Proxy User The proxy user information is stored encrypted in the file /etc/opt/ldapux/pcred. You can check if the proxy user can authenticate to the directory by running /opt/ldapux/config/ldap_proxy_config -v as follows: cd /opt/ldapux/config .
Administering LDAP-UX Client Services Displaying the Current Profile cd /opt/ldapux/config ./ldap_proxy_config -i uid=proxy,ou=people,o=hp.com abcd1234 The following command displays the current proxy user: ./ldap_proxy_config -p PROXY DN: uid=proxy,ou=people,o=hp.com The following command checks to see if the proxy user can bind to the directory: .
Administering LDAP-UX Client Services Modifying a Profile Alternatively, you could use your directory administration tools to make a copy of an existing profile and modify it. You can also use the interactive tool create_profile_entry to create a new profile as follows: cd /opt/ldapux/config ./create_profile_entry Once you create a new profile, configure client systems to use it as described in “Changing Which Profile a Client Is Using” on page 122.
Administering LDAP-UX Client Services Changing from Anonymous Access to Proxy Access Changing from Anonymous Access to Proxy Access If you have anonymous access and you want to change to using a proxy user, do the following: Step 1. Create the proxy user in the directory. With Netscape Directory Server, you can use the Netscape Console. Step 2. Change the credentialLevel attribute in your profile to be “proxy” using your directory administration tools, for example the Netscape Console.
Administering LDAP-UX Client Services Changing from Proxy Access to Anonymous Access Step 1. Change the credentialLevel attribute in your profile to be “anonymous” using your directory administration tools, for example the Netscape Console. Step 2. Download the profile to the client. If you have an automated process to download the profile, you can wait until it executes. Or you can download the profile manually as described in “Download the Profile Periodically” on page 74. Step 3.
Administering LDAP-UX Client Services Performance Considerations Performance Considerations This section lists some performance considerations for LDAP-UX Client Services. See the white paper LDAP-UX Integration Performance and Tuning Guidelines at: http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration for additional performance information. Minimizing Enumeration Requests Enumeration requests are directory queries that request all of a database, for example all users or all groups.
Administering LDAP-UX Client Services Client Daemon Performance Client Daemon Performance Compared to previous networked name service systems, LDAP directory servers support a number of new features. And the general purpose nature of LDAP allows it to support a variety of applications, beyond those just used by a networked OS.
Administering LDAP-UX Client Services Client Daemon Performance does not exist, every time a user displays information about this file, using the ls command, a request to the directory server will be generated. The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount map information. ldapclientd also maintains a cache which maps user’s accounts to LDAP DNs. This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for defining membership of an HP-UX group.
Administering LDAP-UX Client Services Client Daemon Performance Table 4-2 (Continued) Map Name 128 Benefits Example Side-Effect group Frequent file system access may request information about groups that own particular files. Caching greatly reduces this impact. Removing a member of a group may not be visible to the file system, until after the cache expires. During this window, a user may be able to access files or other resources based on his/her group membership, which had been revoked.
Administering LDAP-UX Client Services Client Daemon Performance Table 4-2 (Continued) Map Name automount Benefits Frequent file system access to a directory may request automount information about a network file system. A positive AutoFS cache greatly reduces LDAP-UX Client response time while retrieving the automount data.
Administering LDAP-UX Client Services Client Daemon Performance NOTE The ldapclientd -f command will flush all caches. Refer to the man page ldapclientd (1M) for more information. It is possible to alter the caching lifetime values for each service listed above, in the /etc/opt/ldapux/ldapclientd.conf file. See below for additional information. It is also possible to enable or disable a cache using the -E or -D (respectively) options.
Administering LDAP-UX Client Services Troubleshooting Troubleshooting This section describes troubleshooting techniques as well as problems you may encounter. Enabling and Disabling LDAP-UX Logging When something is behaving incorrectly, enabling logging is one way to examine the events that occur to determine where the problem is. Enable LDAP-UX Client Services logging on a particular client as follows: Step 1. Edit the local startup file /etc/opt/ldapux/ldapux_client.
Administering LDAP-UX Client Services Troubleshooting TIP Enable LDAP logging only long enough to collect the data you need because logging can significantly reduce performance and generate large log files. You may want to move the existing log file and start with an empty file: mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.
Administering LDAP-UX Client Services Troubleshooting Step 8. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed and if any are unexpected. Look for lines containing “PAM_LDAP.” TIP Enable PAM logging only long enough to collect the data you need because logging can significantly reduce performance and generate large log files. You may want to move the existing log file and start with an empty file: mv /var/adm/syslog/debug.log /var/adm/syslog/debug.log.save.
Administering LDAP-UX Client Services Troubleshooting If the output shows ldap is not being searched, check /etc/nsswitch.conf to make sure ldap is specified. If username is not found, make sure that user is in the directory and, if using a proxy user, make sure the proxy user is properly configured. If nsquery(1) displays the user’s information, make sure /etc/pam.conf is configured correctly for ldap. If /etc/pam.conf is configured correctly, check the directory’s policy management status.
Administering LDAP-UX Client Services Troubleshooting If you are using a proxy user (determined by the credentialLevel attribute in the configuration profile), try searching for one of your user’s information in the directory as the proxy user with a command like the following: cd /opt/ldapux/bin .
Administering LDAP-UX Client Services Troubleshooting using the name of your directory server (from display_profile_cache), search base DN (from display_profile_cache), and a user name from the directory. You should get output similar to the previous example. If you don’t, anonymous access may not be configured properly. Make sure you have access permissions set correctly for anonymous access.
5 Command and Tool Reference This chapter describes the commands and tools associated with the LDAP-UX Client Services: • • • • • Chapter 5 “The LDAP-UX Client Services Components” on page 138 describes many of the files that comprise this product. “Client Management Tools” on page 143 describes commands to manage your client systems. “LDAP Directory Tools” on page 154 briefly describes the tools ldapsearch, ldapmodify, ldapdelete and certutil.
Command and Tool Reference The LDAP-UX Client Services Components The LDAP-UX Client Services Components The LDAP-UX Client Services product, comprising the following components, can be found under /opt/ldapux and /etc/opt/ldapux, except where noted. LDAP-UX Client Services libraries are listed on table 5-2 and 5-3. Table 5-1 LDAP-UX Client Services Components Component 138 Description /etc/opt/ldapux/ldapux_client.
Command and Tool Reference The LDAP-UX Client Services Components Table 5-1 LDAP-UX Client Services Components (Continued) Component Chapter 5 Description /opt/ldapux/config/create_profile_entry Program to create a new configuration profile. /opt/ldapux/config/create_profile_schema /opt/ldapux/config/create_profile_cache Programs called by the setup program. /opt/ldapux/config/ldap_proxy_config Program to configure and verify the proxy user.
Command and Tool Reference The LDAP-UX Client Services Components Table 5-1 LDAP-UX Client Services Components (Continued) Component NOTE Description /opt/ldapux/ypldapd Files for the NIS/LDAP Gateway product. See Installing and Administering NIS/LDAP Gateway. /opt/ldapux/contrib/bin/beq Search tool that bypasses the name service switch and queries the backend directly based on the specified library.
Command and Tool Reference The LDAP-UX Client Services Components Table 5-3 shows LDAP-UX Client Services libraries on 32 or 64 bit of the HP-UX 11i v2 PA machine: Table 5-3 LDAP-UX Client Services Libraries on the HP-UX 11i v2 PA machine Files /usr/lib/libldap_send.1 (32-bit ) /usr/lib/libldap_util.1 (32-bit ) /usr/lib/libnss_ldap.1 (32-bit) /usr/lib/libldapci.1 (32-bit ) /usr/lib/libldap.1 (32-bit ) Description LDAP -UX Client Services libraries. /usr/lib/security/libpam_ldap.
Command and Tool Reference The LDAP-UX Client Services Components Table 5-4 shows LDAP-UX Client Services libraries on 32 or 64 bit of the HP-UX 11i v2 IA machine: Table 5-4 LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA machine Files /usr/lib/hpux32/libldap_send.so.1 (32-bit ) /usr/lib/hpux32/libldap_util.so.1 (32-bit ) /usr/lib/hpux32/libnss_ldap.so.1 (32--bit) /usr/lib/hpux32/libldapci.so.1 (32-bit ) /usr/lib/hpux32/libldap.so.1 (32-bit ) Description LDAP -UX Client Services libraries.
Command and Tool Reference Client Management Tools Client Management Tools This section describes the following programs for managing client systems. Most of these are called by the setup program when you configure a system. display_profile_cache Displays the currently active profile. create_profile_entry Creates a new profile in the directory. get_profile_entry Downloads a profile from the directory to LDIF, and creates the profile cache. ldap_proxy_config Configures a proxy user.
Command and Tool Reference Client Management Tools Syntax create_profile_cache [-i infile] [-o outfile] where infile is the LDIF file containing a profile, by default /etc/opt/ldapux/ldapux_profile.ldif and outfile is the name of the binary output file, by default /etc/opt/ldapux/ldapux_profile.bin. The LDIF file must contain an entry for the object class DUAConfigProfile. Examples The following command creates the binary profile file /etc/opt/ldapux/ldapux_profile.
Command and Tool Reference Client Management Tools where infile is a binary profile file, /etc/opt/ldapux/ldapux_profile.bin by default, and outfile is the output file, stdout by default. NOTE The binary profile contains mappings for all backend commands (even unused ones) all of which are displayed by display_profile_cache. The actual client configuration can be reviewed in the configuration profile LDIF file: /etc/opt/ldapux/ldapux_profile.ldif.
Command and Tool Reference Client Management Tools get_profile_entry -s NSS The following command downloads the profile for the Name Service Switch (NSS) specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file profile1.ldif: get_profile_entry -s NSS -o profile1.ldif The ldap_proxy_config Tool This tool, found in /opt/ldapux/config, configures a proxy user or an Admin Proxy user for the client accessing the directory.
Command and Tool Reference Client Management Tools then press Return. Next type the proxy user’s credential or password and press Return. Finally press Return. If you configure the proxy user using the SASL DIGEST-MD5 with UID authentication (i.e. use the UID attribute to generate the DIGEST-MD5 hash), type the command with -i then press Return. Next type the proxy user DN then press Return. Next type the proxy user’s credential or password and press Return.
Command and Tool Reference Client Management Tools -v verifies the current proxy user and credential by connecting to the server. -h displays help on this command. With no options, ldap_proxy_config configures the proxy user as specified in the file /etc/opt/ldapux/pcred.
Command and Tool Reference Client Management Tools ldap_proxy_config -i uid=proxyusr3,ou=special users,o=hp.com prox3pw proxyusr3 The following example configures the Admin Proxy user as uid=adminproxy,ou=special users,o=hp.com with the password adminproxpw and creates or updates the file /etc/opt/ldapux/acred with this information, the Admin Proxy user uses the simple authentication: ldap_proxy_config -A -i uid=adminproxy,ou=special users,o=hp.
Command and Tool Reference beq Search Tool ldap_proxy_config -v File Credentials verified - valid The following example configures the proxy user as uid=proxyuser,ou=special users,o=hp.com with the password prox12pw and creates or updates the file /etc/opt/ldapux/pcred with this information: ldap_proxy_config -d “uid=proxyuser,ou=special users,o=hp.
Command and Tool Reference beq Search Tool -s Required. Indicates what backends are to be searched for information. -l Query the backend directly. Bypass the APIs and skip the name service switch. -h Provides Help on this command. -H <#> Specifies Help level (0-5). Larger numbers provide more information. If you specify -h or -H, no other parameters are needed.
Command and Tool Reference beq Search Tool pw_dir............(/home/iuser1) pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) 2. An example beq command using user name adm as the search key, pwd (password) as the service, and files as the library is shown below: ./beq -k n -s pwd -l /usr/lib/libnss_files.1 adm nss_status .............. NSS_SUCCESS pw_name...........(adm) pw_passwd.........(*) pw_uid............(4) pw_gid............(4) pw_age............() pw_comment........
Command and Tool Reference beq Search Tool nss_status .............. NSS_SUCCESS gr_name...........(igrp1) gr_passwd.........(*) gr_gid............(21) pw_age............() gr_mem (iuser1) (iuser2) (iuser3) 5. An example beq command using a gid number as the search key, grp (group) as the service, and ldap as the library is shown below: ./beq -k d -s grp -l /usr/libnss_ldap.l 22 nss_status .............. NSS_SUCCESS gr_name...........(igrp2) gr_passwd.........(*) gr_gid............(22) pw_age............
Command and Tool Reference LDAP Directory Tools The get_attr_map.pl Tool This tool, found in /opt/ldapux/contrib/bin, gets the attributemap information for a given name service from the profile file /etc/opt/ldapux/ldapux_profile.ldif. Syntax get_attr_map.pl where services is the name of the supported service, attribute is the name of an attribute. Examples The following command gets the homedirectory attribute information for the passwd service: ./get_attr_map.
Command and Tool Reference LDAP Directory Tools ldapentry ldapentry is a script tool that simplifies the task of adding, modifying and deleting entries in a Netscape directory. It supports the following name services: passwd, group, hosts, rpc, services, networks, and protocols. ldapentry accepts run-time options either on the command line, or via environment variables, which can be defined locally, in the configuration profile or are read in from the configuration profile.
Command and Tool Reference LDAP Directory Tools INSERT_BASE This DN tells ldapentry where to insert new entries. This value will default to LDAP_BASEDN or a default discovered by the configuration profile. INSERT_BASE is only used when adding entries. EDITOR The editor to use when an entry is added or modified. Syntax ldapentry - [options] where -a Adds a new entry to the directory. -mModifies an existing entry in the directory. -dDeletes an existing entry in the directory.
Command and Tool Reference LDAP Directory Tools Examples The following configuration variables are defined in the user's configuration file as ~/.ux_ldap_admin_rc: LDAP_BINDDN="cn=Directory Manager" LDAP_HOST=”myhost” The Command ldapentry -a passwd UserA will try to bind to the directory on server myhost as Directory Manager, prompt for the credentials, and retrieve the service search descriptor from the profile LDIF file based on the service name passwd.
Command and Tool Reference LDAP Directory Tools entries based on the specified search filter. Search results are returned in LDIF format. For details, see the Netscape Directory Server for 6.11 HP-UX Administrator’s Guide available at http://docs.hp.com/hpux/internet. ldapmodify You use the ldapmodify command-line utility to add or modify entries in an existing LDAP directory.
Command and Tool Reference Adding One or More Users Adding One or More Users You can add one or more users to your system as follows: Step 1. Add the user’s posixAccount entry to your LDAP directory. You can use your directory’s administration tools, the ldapadd command, or the ldapentry tool to add a new user entry to your directory. If you are adding a large number of users, you could create a passwd file with those users and use the migration tools to add them to your directory.
Command and Tool Reference Name Service Migration Scripts Name Service Migration Scripts This section describes the shell and perl scripts that can migrate your name service data either from source files or NIS maps to your LDAP directory. These scripts are found in /opt/ldapux/migrate. The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your source files or NIS maps, while the perl scripts migrate_passwd.pl, migrate_group.pl, migrate_hosts.
Command and Tool Reference Name Service Migration Scripts If you change the default naming context, modify the file migrate_common.ph and change it to reflect your naming context. Migrating All Your Files The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your name service data either to LDIF or into your directory. The migrate_all_online.sh shell script gets information from the appropriate source files, such as /etc/passwd, /etc/group, /etc/hosts, and so forth.
Command and Tool Reference Name Service Migration Scripts LDAP_BASEDN The base distinguished name where you want your data. For example, the following command sets the base DN to “o=hp.com”: export LDAP_BASEDN=”o=hp.com” General Syntax for Perl Migration Scripts All the perl migration scripts use the following general syntax: scriptname inputfile [outputfile] where scriptname is the name of the particular script you are using. The scripts are listed below.
Command and Tool Reference Name Service Migration Scripts Table 5-6 Migration Scripts (Continued) Script Name Description migrate_rpc.pl migrates RPCs in /etc/rpc. migrate_services.plc migrates services in /etc/services. migrate_common.ph is a set of routines and configuration information all the perl scripts use. a. systems have been configured with the same hostname, then the migration script migrate_host.
Command and Tool Reference Name Service Migration Scripts c. When migrating services data into the LDAP directory, users should keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports. Examples The following are some examples using the migration scripts. The following command converts all name service files in /etc to LDIF: $ migrate_all_online.
Command and Tool Reference Name Service Migration Scripts migrate_hosts.
Command and Tool Reference The ldappasswd Command The ldappasswd Command This section describes the ldappasswd command and its parameters. The ldappasswd command, installed in /opt/ldapux/bin, is needed on clients that use an LDAP directory replica because the replica cannot be modified by the passwd(1) command, or any other command. Syntax ldappasswd [options] where options can be any of the following: -b basedn specifies basedn as the base distinguished name of where to start searching.
Command and Tool Reference The ldappasswd Command Examples The following is a command the directory administrator can use to change the password in the directory for the user steves: ldappasswd -h sys001.hp.com -p 389 -b “ou=people,o=hp.
Command and Tool Reference The ldappasswd Command 168 Chapter 5
6 User Tasks This chapter describes the following tasks your users will need to do: • • “To Change Passwords” on page 169 “To Change Personal Information” on page 173 To Change Passwords With LDAP-UX Client Services, users change their password with the passwd(1) command.
User Tasks To Change Passwords directory on sys001. However, the passwd(1) command on clients 51-100 will fail because the replica server on sys002 cannot be modified. See the diagram below.
User Tasks To Change Passwords PAM and NSS. See Figure 6-2, Changing Passwords on Master Server with ldappasswd, below. See also Figure 6-3 on page 171 for a sample passwd wrapper command.
User Tasks To Change Passwords LDAP_BASEDN="$(grep -i "^defaultsearchbase:" \ /etc/opt/ldapux/ldapux_profile.ldif | cut -d" " -f 2-99)" /opt/ldapux/bin/ldappasswd -b "$LDAP_BASEDN" -h $LDAP_MASTER Alternatively, your users can use a simple LDAP gateway through a web browser connected to the directory to change their password. The advantage to this method is that your users can also change their other personal information as described below.
User Tasks To Change Personal Information To Change Personal Information On HP-UX, users change their personal information (sometimes called “gecos” information) such as full name, phone number, and location with the chfn(1) command which changes /etc/passwd. HP-UX users change their login shell with the chsh(1) command, which also changes /etc/passwd. See the LDAP-UX Integration B.03.20 Release Notes for whether or not these commands change entries in the directory with this release.
User Tasks To Change Personal Information 174 Chapter 6
7 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. This chapter contains the following sections: • • Chapter 7 “Overview” on page 176. “The Mozilla LDAP C SDK File Components” on page 177 briefly describes many of files that comprise the LDAP C SDK.
Mozilla LDAP C SDK Overview Overview The LDAP-UX Client Services provides the Mozilla LDAP C SDK 5.14.1 support. The LDAP C SDK is a Software Development Kit that contains a set of LDAP Application Programming Interfaces (API) to allow you to build LDAP-enabled clients. The functionality implemented in the SDK closely follows the interface outlined in RFC 2251. Using the functionality provided with the SDK, you can enable your clients to connect to LDAP v3-compliant servers and perform the LDAP functions.
Mozilla LDAP C SDK The Mozilla LDAP C SDK File Components The Mozilla LDAP C SDK File Components Table 7-1 shows the Mozilla LDAP C SDK 5.14.1file components on the HP-UX 32 or 64 bit PA machine: Table 7-1 Mozilla LDAP C SDK File Components on the PA machine Files Description /usr/lib/libldap.sl (32-bit) /usr/lib/pa20_64/libldap.sl (64-bit) Main LDAP C SDK API libraries that link to the /opt/ldapux/lib libraries. /opt/ldapux/lib/libnspr4.sl (32-bit) /opt/ldapux/lib/libnss3.
Mozilla LDAP C SDK The Mozilla LDAP C SDK File Components Table 7-1 Mozilla LDAP C SDK File Components on the PA machine Files Description /opt/ldapux/contrib/ldapsdk/source.tar.gz Mozilla LDAP C SDK source (for license compliance). /opt/ldapux/bin/ldapdelete /opt/ldapux/bin/ldapmodify /opt/ldapux/bin/ldapsearch /opt/ldapux/bin/ldapcmp /opt/ldapux/bin/ldapcompare Tools to delete, modify, and search for entries in a directory. See the Netscape Directory Server Administrator’s Guide for details.
Mozilla LDAP C SDK The Mozilla LDAP C SDK File Components Table 7-2 Mozilla LDAP C SDK File Components on the IA machine Files /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.so (32-bit ) /opt/ldapux/lib/hpux32/libfreebl_pure32_3.so /opt/ldapux/lib/hpux32/libplds4.so (32-bit ) Description LDAP C SDK dependency libraries.
Mozilla LDAP C SDK The Mozilla LDAP C SDK File Components Table 7-2 Mozilla LDAP C SDK File Components on the IA machine Files Description /opt/ldapux/contrib/ldapsdk/source.tar.gz Mozilla LDAP C SDK source (for license compliance). /opt/ldapux/bin/ldapdelete /opt/ldapux/bin/ldapmodify /opt/ldapux/bin/ldapsearch /opt/ldapux/bin/ldapcmp /opt/ldapux/bin/ldapcompare Tools to delete, modify, and search for entries in a directory. See the Netscape Directory Server Administrator’s Guide for details.
Mozilla LDAP C SDK The Mozilla LDAP C SDK File Components Table 7-3 Mozilla LDAP C SDK API Header Files (Continued) Header Files NOTE Chapter 7 Description /usr/include/disptmpl.h Support for LDAP display templates. Allows applications to convert LDAP entries into displayable text strings and HTML. /usr/include/lber.h Support for creating messages that follow the Basic Encoding Rules syntax. These APIs are used when building extended LDAP operations or controls. This file is a support file for ldap.
Mozilla LDAP C SDK The Mozilla LDAP C SDK File Components 182 Chapter 7
A Configuration Worksheet Use this worksheet to help you configure LDAP-UX Client Services. See Chapter 2, “Installing And Configuring LDAP-UX Client Services,” on page 9 for details.
Configuration Worksheet Table A-2 LDAP-UX Client Services Configuration Worksheet Explanation LDAP-UX Client Services Configuration Worksheet 184 Directory administrator DN: The distinguished name of a directory administrator allowed to modify the directory. Example: cn=directory manager Directory server host: The host name or IP address where your directory server is running. Example: sys001.hp.com (12.34.56.78) Directory server port: The TCP port number your directory server is using.
Configuration Worksheet Table A-2 LDAP-UX Client Services Configuration Worksheet Explanation (Continued) LDAP-UX Client Services Configuration Worksheet Migration method: Appendix A How you will migrate your user and group data into the directory, for example, using the migration scripts. Example: migrate_all_online.sh edited to remove all but migrate_passwd.pl, migrate_group.pl, and migrate_base.
Configuration Worksheet 186 Appendix A
B LDAP-UX Client Services Object Classes This Appendix describes the object classes LDAP-UX Client Services uses for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: 1. posixDUAProfile 2. posixNamingProfile With release B.03.00, the posixDUAProfile and posixNamingProfile objectlcasses have been replaced by a single STRUCTURAL objectclass DUAConfigProfile. In addition, four new attributes are added.
LDAP-UX Client Services Object Classes Profile Attributes searchTimeLimit, serviceAuthenticationMethod, serviceCredentialLevel, servicesearchDescriptor Profile Attributes The attributes of DUAConfigProfile is defined as follows: cn is the common name of the profile entry. attributeMap is a mapping from RFC 2307 attributes to alternate attributes. Use this if your entries do not conform to RFC 2307.
LDAP-UX Client Services Object Classes Profile Attributes authenticationMethod is how the client binds to the directory. The value can be “simple” indicating bind using a user name and password. If this attribute has no value, “simple” is the default. bindTimeLimit is how long, in seconds, the client should wait to bind before aborting. 0 (zero) means no time limit. If this attribute has no value, the default is no time limit. credentialLevel is the identity clients use when binding to the directory.
LDAP-UX Client Services Object Classes Profile Attributes profileTTL is the recommended time interval before refreshing the cached configuration profile. searchTimeLimit is how long, in seconds, a client should wait for directory searches before aborting. 0 (zero) means no time limit. If this attribute has no value, the default is no time limit. serviceSearchDescriptor is one to three custom search descriptors for each service.
C Sample /etc/pam.ldap.trusted file This Appendix provides the sample PAM configuration file, /etc/pam.ldap.trusted, used as the /etc/pam.conf file to support the coexistence of LDAP-UX and Trusted Mode. This /etc/pam.ldap.trusted file must be used as the /etc/pam.conf file if your directory server is the Netscape Directory Server and your LDAP client is in the Trusted Mode. If your system is in a standard mode, you still need to use the /etc/pam.ldap file as the /etc/pam.conf file.
Sample /etc/pam.ldap.
Sample /etc/pam.ldap.trusted file # For PA applications, library name ending with “so.1” is a # # symbolic link that points to the corresponding PA (32 or 64 # # bit) backend library.
Sample /etc/pam.ldap.
Glossary See also the Glossary in the Netscape Directory Server for HP-UX Administrator’s Guide available at http://docs.hp.com/hpux/internet. Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction IETF Internet Engineering Task Force; the organization that defines the LDAP specification. See http://www.ietf.org.
Glossary SLAPD SLAPD The University of Michigan’s stand-alone implementation of LDAP, without the need for an X.500 directory. Start-up file A text file containing information the client needs to access an LDAP directory and download a configuration profile. See also See also Configuration profile. ypldapd The NIS/LDAP Gateway daemon, part of the NIS/LDAP Gateway subproduct.
Index Symbols /etc/group, 12, 21 /etc/nsswitch.conf, 11, 18, 28, 33, 71 /etc/nsswitch.ldap, 18, 33, 138 /etc/pam.conf, 11, 16, 28, 33, 70 /etc/pam.
Index F finger, 4, 125 followReferrals, 189 ftp, 4 G gecos, 23, 136 get_profile_entry program, 145 getgrent, 5, 125 gethostent, 125 getnetent, 125 getpwent, 5, 125 gid, 23 gidnumber, 21, 22, 23, 24, 136 grget, 4, 69, 125 group data, 12, 13, 25 base DN, 32 groups, 4, 125 H homedirectory, 21, 23, 136 host, directory, 12, 29 I id, 4 IETF, 21, 195 import data into directory, 25, 160 import NIS maps, 25 improving performance, 125 index directory entries, 24 installation, 20 planning, 12 summary, 10 L LDAP, 195 L
Index P PAM, 3, 16, 28, 33, 70, 138, 195 pam_authz authentication, 11, 19 passwd, 4, 169 password, change, 166, 169 performance, 125 perl, 139, 160 perl scripts, 161 planning your environment, 12 port, directory, 12, 29 posix schema RFC 2307, 13, 21, 29, 195 posixAccount object class, 21 posixDUAProfile object class, 29, 187, 188, 191 posixGroup object class, 22 posixNamingProfile object class, 29, 187, 188, 191 preferredServerList, 189 product components, 138, 140, 141, 142, 177, 178, 180 Profile TTL, 3
Index U uid, 21, 23, 24, 136 uidnumber, 21, 23, 24, 136 user cannot log in, 133 user data, 12, 13, 25 base DN, 32 userpassword, 22 users, 20 V verify configuration, 68 verify proxy user, 120 W white paper, directory configuration, 10, 21, 24, 125 who, 4 whoami, 4 worksheet, configuration, 9, 183 200
