LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Active Directory Administrator's Guide
Administering LDAP-UX Client Services
SASL GSSAPI Support
Chapter 494
Keytab File
LDAP-UX allows you to specify the keytab file when you use the SASL
GSSAPI authentication. Run the setup program to specify the keytab file
or use the kerberos_keytab_file option in
/etc/opt/ldapux/ldapux_client.conf to specify the keytab file. If
you do not specify a keytab file, LDAP-UX will use the default file
specified in /etc/krb5.conf. If there is no default keytab file configured
in /etc/krb5.conf, then the keytab file /etc/krb5.keytab will be
used,
For each service principal, it must have a service key known by every
domain controler, which also acts as a KDC.
Use the ktpass tool to create the keytab file and set up an identity
mapping the host account.
The following is an example showing you how to run ktpass to create the
keytab file for the HP-UX host myhost with the KDC realm cup.hp.com:
C:> ktpass -princ host/myhost@CUP.HP.COM -mapuser myhost
-pass mypasswd -out unix.keytab
SASL/GSSAPI Profile Download Support
LDAP-UXClient Services B.04.00 does not support downloading of the
LDAP-UX profile automatically, when used with SASL/GSSAPI
authentication, and that authentication uses a host or service principal,
where that principal’s key is stored in a Kerberos keytab file.This
limitation impacts the ability of the LDAP-UX product to support the
"profile time to live" feature, which automatically will re-download a
profile after it’s profileTTL time period has expired.
You can download profiles manually using the get_profile_entry
command, as long as you provide a principal and password on the
command line.The following command shows an example of how to
download the profile manually. If your profile changes frequently, you
may wish to place this in a script that is called periodically by cron.
/opt/ldapux/config/get_profile_entry -s NSS -D \
"<administrator@my.domain.org>" -w "<adminpassword>"