LDAP-UX Client Services B.04.
© Copyright 2007 Hewlett-Packard Company, L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Table of Contents Preface: About This Document.......................................................................................13 Intended Audience................................................................................................................................13 New and Changed Documentation in This Edition.............................................................................13 Publishing History.....................................................................................
Schema..................................................................................................................................57 An Example...........................................................................................................................57 The nisObject Automount Schema.............................................................................................58 An Example.....................................................................................................
Examples..........................................................................................................................................82 Group Attribute Mappings.............................................................................................................83 Number of Group Members Returned.................................................................................................84 Number of Groups Returned for a Specific User..................................................
Directory Server Security Policies............................................................................................113 Adding One or More Users.................................................................................................................115 Adding a Directory Replica................................................................................................................116 Displaying the Proxy User's DN.....................................................................
Syntax.......................................................................................................................................139 ldapmodify Options.................................................................................................................139 ldapdelete......................................................................................................................................140 Syntax..............................................................................
uid2dn — Display User's Distinguished Name Tool....................................................................176 Syntax.......................................................................................................................................176 Examples..................................................................................................................................176 get_attr_map.pl — Get Attributemap from Profile Tool......................................................
List of Figures 1-1 1-2 1-3 1-4 2-1 3-1 5-1 7-1 7-2 7-3 A Simplified NIS Environment.....................................................................................................17 A Simplified LDAP-UX Client Services Environment..................................................................18 A Simplified LDAP-UX Client Services Environment..................................................................19 The Local Start-up File and the Configuration Profile....................................
List of Tables 1 Publishing History Details.................................................................................................................13 1-1 Examples of Commands and Subsystems that use PAM and NSS...............................................18 2-1 Configuration Parameter Default Values......................................................................................36 2-2 Enhanced Publickey-LDAP Software Requirement................................................................
Preface: About This Document The latest version of this document can be found on line at: http://www.docs.hp.com This document describes how to install and configure LDAP-UX Client Services product on HP-UX platforms. The document printing date and part number indicate the document's current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Table 1 Publishing History Details (continued) Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date J4269-90063 11i v1 and v2 B.04.10 December 2006 J4269-90073 11i v1, v2 and v3 B.04.10 April 2007 What's in This document This manual describes how to install, configure and administer the LDAP-UX Client Services software product.
HP Encourages Your Comments HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
1 Introduction LDAP-UX Client Services simplifies HP-UX system administration by consolidating account and configuration information into a central LDAP directory. This LDAP directory could reside on an HP-UX system such as Netscape Directory Server 6.x, Red Hat Directory Server 7.x or the account information could be integrated in Windows 2000/2003 Active Directory.
Figure 1-2 A Simplified LDAP-UX Client Services Environment LDAP Directory Server Updates LDAP Directory Server Replica LDAP Requests LDAP-UX client LDAP-UX client LDAP-UX Client Services supports the following name service data: passwd, groups, hosts, rpc, services, networks, protocols, publickeys, automount, netgroup. See the LDAP-UX Integration B.04.10 Release Notes for any additional supported services.
Table 1-1 Examples of Commands and Subsystems that use PAM and NSS (continued) Commands that use NSS Commands that use PAM and NSS groups2 remsh newgrp2 pwget2 grget2 listusers2 logins2 nslookup 1 2 nsquery(1) is a contributed tool included with the ONC/NFS product. These commands enumerate the entire passwd or group database, which may reduce network and directory server performance for large databases.
The profile is an entry in the directory containing details on how clients are to access the directory, such as: • • • where and how clients should search the directory for user, group and other name service information. how clients should bind to the directory: anonymously or as a proxy user. Anonymous access is simplest. Configuring a proxy user adds some security, but at the same time it adds the overhead of managing the proxy user. other configuration parameters such as search time limits.
2 Installing And Configuring LDAP-UX Client Services This chapter describes the decisions you need to make and the steps to install Netscape/Red Hat Directory Server and configure LDAP-UX Client Services. This chapter contains the following sections: • Before You Begin (page 21). • Summary of Installing and Configuring (page 22). • Plan Your Installation (page 23). • Install LDAP-UX Client Services on a Client (page 28). • Configure Your Directory (page 29).
Summary of Installing and Configuring The following summarizes the steps you take when installing and configuring an LDAP-UX Client Services environment. • • • • • • • See Plan Your Installation (page 23). Install LDAP-UX Client Services on each client system. See Install LDAP-UX Client Services on a Client (page 28). Install and configure an LDAP directory, if not already done. See Configure Your Directory (page 29).
Plan Your Installation Before beginning your installation, you should plan how you will set up and verify your LDAP directory and your LDAP-UX Client Services environment before putting them into production. Consider the following questions. Record your decisions and other information you'll need later in Configuration Worksheet (page 183). • How many LDAP directory servers and replicas will you need? Each client system binds to an LDAP directory server containing your user, group, and other data.
reduces LDAP-UX's response time to applications. In addition, the daemon re-uses connections for LDAP queries and maintains multiple connections to an LDAP server to improve performance. The migration scripts provided with LDAP-UX Client Services can build and populate a new directory subtree for your user and group data.
Figure 2-1 Example Directory Structure o=hp.com ou=unix ou=people user data ou=groups group data ou=profiles ou=hosts profile1 host data Write your configuration profile DN on the worksheet in Configuration Worksheet (page 183). • By what method will client systems bind to the directory? Clients can bind to the directory anonymously. This is the default and is simplest to administer.
• Do you want to use TLS (Transport Layer Security) or SSL for secure communication between clients and Netscape/Red Hat Directory servers? LDAP-UX supports SSL or TLS with password as the credential, using either simple bind or DIGEST-MD5 authentication (DIGEST-MD5 is available for Netscape/Red Hat Directory Server only) to ensure confidentiality and data integrity between clients and servers. startTLS is a new extension operation of TLS protocol.
For the detailed information about AutoFS with LDAP support, see AutoFS Support (page 56). • What name services will you use? How will you set up /etc/nsswitch.conf? What order do you want NSS to try services? NSS is the Name Service Switch, providing naming services for user names, group names, and other information. You can configure NSS to use files, ldap, or NIS in any order and with different parameters. See /etc/nsswitch.ldap for an example nsswitch.conf file using files and ldap.
will not work on clients configured to use such a directory replica. See To Change Passwords (page 177) for how you can use ldappasswd(8) in this situation. Check the Release Notes for any other limitations and tell your users how they can work around them. Install LDAP-UX Client Services on a Client Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on a client system. See the LDAP-UX Integration B.04.
Configure Your Directory This section describes how to configure your directory to work with LDAP-UX Client Services. Examples are given for Netscape Directory Server for HP-UX version 6.x. See the LDAP-UX Integration B.04.10 Release Notes for information on supported directories. If you have a different directory, see the documentation for your directory for details on how to configure it. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.
in the directory at ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify entries below ou=groups,ou=unix,o=hp.com: aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, o=hp.com");) 4. Grant read access of all attributes of the posix schema. Ensure all users have read access to the posix attributes.
The following attributes are recommended for indexing: • • • • • • • • cn objectclass memberuid uidnumber gidnumber uid ipserviceport iphostnumber To index these entries with Netscape/Red Hat Directory Server, use the Console, Configuration tab, Indexes tab, Add Attributes button. 10. Determine if you need to support enumeration requests. If you do, increase the Look-Through limit, the Size limit, and the All-IDs-Threshold in the Directory Server.
Import Name Service Data into Your Directory The next step is to import your name service data into your LDAP Directory. Here are some considerations when planning this: • • If you have already imported data into your directory with the NIS/LDAP Gateway product, LDAP-UX Client Services can use that data and you can skip to Configure the LDAP-UX Client Services (page 33). If you are using NIS, the migration scripts take your NIS maps and generate LDIF files.
Configure the LDAP-UX Client Services Below is a summary of how to configure LDAP-UX Client Services with Netscape Directory Server 6.x. For a default configuration, see Quick Configuration (page 34). For a custom configuration, see Custom Configuration (page 38) for more information. NOTE: The setup program has only been certified with Netscape Directory Server 6.x, Red Hat Directory Server 7.x and Windows 2000/2003/2003 R2 Active Directory Sever. See the LDAP-UX Integration B.04.
• • Optionally modify the disable_uid_range flag in the /etc/opt/ldapux/ldapux_client.conf file to disable logins to the local system from specific users. Optionally configure the authorization of one or more subgroups from a large repository such as an LDAP directory server. For the detailed information on how to set up the policy file, /etc/opt/ldapux/pam_authz.policy, see Policy File (page 101).
2. Stop directory server 3. Remove the obsolete automount schema: a. objectclass- automount b. attribute-automountInformation Note: for Netscape Directory Server, they are in 10rfc2307.ldif. 4. Start directory and re-run setup program to install the new automount schema. Do you still want to use the new automount schema? Press Yes will exit this program. {YES]: Reply "yes" when asked do you still want to use the new automount schema. If you reply yes, it will take you to exit this program.
16. You can quickly configure a Directory Server and the first client by accepting the remaining default configuration parameters when prompted. If you want to use the SASL DIGEST-MD5 authentication method, you need to configure a proxy user with its credential level. Using the SASL DIGEST-MD5 authentication, the password must be stored in the clear text in the LDAP directory.
and fill in the UID range. The format is disable_uid_range=uid#,[uid#-uid#], .... where uid# stands for uid number. For example: disable_uid_range=0-100,300-450,89 Note: • • • White spaces between numbers are ignored. Only one line of the list is accepted, however, the line can be wrapped. The maximum number of ranges is 20. 22. Verify the LDAP-UX Client Services (page 65). 23. Configure subsequent clients by running setup on those clients and specifying an existing configuration profile.
Custom Configuration Running the Setup program for a quick configuration, as described above, configures your client using default values where possible. If you would like to customize these parameters, proceed as follows. If you want to use SSL or TLS, you must perform the following tasks before you run the custom configuration. See “Configure the LDAP-UX Client Serivces with SSL or TLS Support” (page 45) for details. • Ensure that you have installed the certificate database files, cert8.db or cert7.
4. Specify the host name and optional port number where your directory is running. If you choose to use TLS, the default directory port number is 389. If you choose to use SSL, the default directory port number is 636. For high availability, each LDAP-UX client can look for user and group information in up to three different directory servers. You are able to specify up to three directory hosts, to be searched in order. 5. 6. 7.
Each services uses a standard object class (defined by RFC 2307) You can remap any of these attributes to alternate attributes. Do you want to remap any of the standard RFC 2307 attributes? Enter “yes” if you want to remap attributes for any of the supported services. Then go to the “Remapping Attributes for Services” (page 41) section for details of the procedures.
If you want to create the nisObject search filter for the automount service, then type (objectclass=nisObject) for the following prompt and press the Return key; otherwise press the return key to accept the default search filter, objectclass=automount: Search filter [(objectclass=automount)]: (objectclass=nisObject) 13. You will be asked whether or not you want to start the client daemon. For LDAP-UX Client B.03.20 or later versions, the client daemon must be started for LDAP-UX functions to work.
Specify the attribute you want to map. [0]:2 6. Next, type the attribute cn you want to map to the automountKey attribute and press the return key: automountKey -> cn 7. Next, it will take you to the screen which shows you the following information: Current Automount attribute names: 1.automountMapName ->[nisMapname] 2.automountKey -> [cn] 3.automountInformation -> [automountInformation] Specify the attribute you want to map.
4.userpassword -> [userPassword] Specify the attribute you want to map. [0]: If you want to specify the attribute to map to memberuid, then type 3 for the following question and press the return key: Specify the attribute you want to map? [0]: 3 4. Type the attribute, memberURL or nxsearchFilter, that you want to map to the memberuid attribute and press the return key: memberuid —> memberURL 5. Next, it will take you to the screen which shows you the following information: Current Group.
1.cn ->[cn] 2.gidnumber -> [gidnumber] 3.memberuid -> [member] 4.userpassword -> [userPassword] Specify the attribute you want to map. [0]: You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0 NOTE: LDAP-UX supports DN-based (X.500 style) membership syntax. This means that you do not need to use the memberUid attribute to define the members of a POSIX group. Instead, you can use either the member or uniqueMember attribute.
Configure the LDAP-UX Client Serivces with SSL or TLS Support The LDAP-UX Client Services provides SSL (Secure Socket Layer) support to secure communication between LDAP clients and the LDAP directory server. An encrypted session is established on an encrypted port, 636.
NOTE: If you already have the certificate database files, cet7 or cert8.db and key3.db, on your client for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/cert7.db that points to cert7.db or /etc/opt/ldapux/cert8.db that points to cer8.db and /etc/opt/ldapux/key3.db that points to key3.db. You can Download the certificate database from the Netscape Communicator or Mozilla browser to set up the certificate database into your LDAP-UX Client.
Steps to create database files using the certutil utility The following steps show you an example on how to create the security database files, cert8.db and key3.db on your client system using the certutil utility: 1. Retrieve the Base64-Encoded certificate from the certificate server and save it. For example, get the Base64-Encoded certificate from the certificate server and save it as the /tmp/mynew.cert file.
NOTE: The -t "p,," represents the minimum trust attributes that may be assigned to the LDAP server's certificat for LDAP-UX to successfully use SSL or TLS to connect to the LDAP directory server. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.
1. Run the following steps to find the name of the LDAP server used on the server certificate. Assuming this certificate has been installed in your local certificate database file, /etc/opt/ldapux/cert8.db: • Run the following commands to list all server certificates used by LDAP-UX: cd /etc/opt/ldapux certutil -d . -L • Run the following command to select the nickname of the certificate from the above list: cetutil -d . -L -n • Select the first name component of the “Subject:” name.
Configure LDAP-UX Client Services with Publickey Support LDAP-UX Client Services B.04.00 or later version supports discovery and management of publickeys in an LDAP directory. Both public and secret keys, used by the Secure RPC API can be stored in user and host entries in an LDAP directory server, using thenisKeyObject objectclass. Support for discovery of keys in an LDAP directory server is provided through the getpublickey() and getsecretkey() APIs.
• Select and download one of the following software bundle, place it to your client system, /tmp is assumed: — Enhkey B.11.11.01 HP-UX B.11.11 64+32 depot for HP-UX 11i v1 — Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX 11i v2 • Use swinstall to install the software bundle: — swinstall -x autoreboot=true -s /tmp/ENHKEY_B.11.11.01_HP-UX_B.11.11_64_32.depot for HP-UX 11i v1 — swinstall -x autoreboot=true -x reinstall=false -s /tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.
Setting ACI for Key Management Before storing public keys in an LDAP server, LDAP administrators may wish to update their LDAP access controls such that users can manage their own keys, and the Admin Proxy user can manage host keys. This section describes how you set up access control instructions (ACI) for an Admin Proxy user or a user. Setting ACI for an Admin Proxy User With Netscape Directory Server 6.11 and 6.
Setting ACI for a User The default ACI of Netscape Directory Server 6.11 allows a user to change his own nispublickey and nissecretkey attributes. For Netscape Directory Server 6.21, you need to set up ACI which gives a user permission to change his own nissecretkey and nispublickey attributes. Use the Netscape Console or ldapmodify to set up ACI for a user.
1. 2. Login as root. Use the ldapentry tool to modify the profile entry in the LDAP directory server to include serviceAuthenticationMethod. To do this, ldapentry requires the profile DN. You can find the profile DN from PROFILE_ENTRY_DN in /etc/opt/ldapux/ldapux_client.conf after you finish running the setup program. The following example edits the profile entry "cn=ldapuxprofile,dc=org,dc=hp,dc=com": For example: cd /opt/ldapux/bin .
If the serviceAuthenticationMethod:keyserv:sasl/digest-md5 entry is added to the profile entry in the LDAP directory, you can see the following information when you run the display_profile_cache tool: serv-auth: keyserv:sasl/digest-md5 auth opts: username: uid realm: For subsequent LDAP-UX client systems that share the same profile configuration, use the following steps to download and activate the profile: 1. 2. Login as root. Go to /opt/ldapux/config: cd /opt/ldapux/config 3.
AutoFS Support AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them. If an automounted file system has been idle for a period of time, AutoFS unmounts it. AutoFS uses name services such as files, NIS or NIS+ to store and manage AutoFS maps. LDAP-UX Client Services B.04.00 supports the automount service under the AutoFS subsystem. This new feature allows users to store AutoFS maps in an LDAP directory server. .
Schema The following shows the RFC 2307-bis automount schema in the LDIF format: objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' DESC 'Automount Map information' SUP top STRUCTURAL MUST automountMapName MAY description X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.
objectClass: automount automountInformation:hostB:/tmp automountKey:/mnt_direct/test2 The nisObject Automount Schema The nisObject automount schema definesnisMap and nisObject structures to represent the AutoFS maps and their entries. The AutoFS maps are stored in the LDAP directory server using the nisMapand nisObject structures.
Obsolete Automount Schema The obsolete automount schema is shipped with the Netscape Directory Server version 6.x. You must manually delete it before the setup program can successfully import the new automount schema into the LDAP directory server. Removing The Obsolete Automount Schema Perform the following steps to delete the obsolete automount schema: 1. 2. Login to your Netscape Directory Server as root. Stop your Netscape Directory Server daemon, slapd.
Table 2-4 Attribute Mappings • New Automount Attribute nisObject Automount Attribute automountMapname nisMapname automountKey cn automountInformation nisMapEntry Change the automount search filter for the automount service to the nisObjectsearch filter. LDAP-UX Client Services uses the automount search filter for the automount service as a default. The search filter change can be done in step 12 of the Custom Configuration.
Table 2-5 Migration Scripts Migration Script Description migrate_automount.pl Migrates AutoFS maps from files to LDIF. migrate_nis_automount.pl Migrates AutoFS maps from the NIS server to LDIF. migrate_nisp_autofs.pl Migrates AutoFS maps from NIS+ server to the nisp_automap.ldif file.
Syntax scriptnameinputfileoutputfile Examples The following commands migrate the AutoFS map /etc/auto_direct to LDIF and place the results in the /tmp/auto_direct.ldif file: export LDAP_BASEDN="dc=nishpind" migrate_automount.pl /etc/auto_direct /tmp/auto_direct.ldif The following shows the /etc/auto_direct file: #local mount point /mnt/direct/lab1 /mnt/direct/lab2 remote server:directory hostA:/tmp hostB:/tmp The following shows the /tmp/auto_direct.
The migrate_nis_automount.pl Script This script, found in /opt/ldapux/migrate, migrates the AutoFS maps from the NIS server to LDIF. Syntax scriptnameinputfileoutputfile Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the /tmp/auto_indirect.ldif file: export LDAP_BASEDN="dc=nisserv1" export NIS_DOMAINNAME="cup.hp.com" migrate_nis_automount.pl /etc/auto_indirect /tmp/auto_indirect.
The migrate_nisp_autofs.pl Script This script, found in /opt/ldapux/migrate/nisplusmigration, migrates the AutoFS maps from the NIS+ server to the nisp_automap.ldif file. Syntax scriptnameinputfile Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the nisp_automap.ldif file: export LDAP_BASEDN="dc=nishpbnd" export DOM_ENV ="cup.hp.com" migrate_nisp_autofs.
Verify the LDAP-UX Client Services This section describes some simple ways you can verify the installation and configuration of your LDAP-UX Client Services. You may need to do more elaborate and detailed testing, especially if you have a large environment. If any of the following tests fail, see Troubleshooting (page 123). 1.
pw_age............() pw_comment........() pw_gecos..........(gecos data in files) pw_dir............(/home/iuser1) pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) Refer to "beq Search Tool" in Chapter 4 for command syntax and examples. 4. 5. Log in to the client system from another system using rlogin or telnet. Log in as a user in the directory and as a user in /etc/passwd to make sure both work.
uid: xuser2 cn: xuser2 objectClass: top objectClass: account objectClass: posixAccount userPassword: {crypt}xxxxxxxxxxxxx loginShell: /bin/ksh uidNumber: 9998 gidNumber: 999 homeDirectory: /home/xuser2 2. Make sure that the file /etc/nsswitch.conf specifies ldap for group service: cat /etc/nsswitch.conf : : group: files ldap : : 3. Verify: # grget -n xgroup1 xgroup1:*:999: xuser2 If xuser2 shows up as a member of xgroup1, then your setup is correct.
Configure Subsequent Client Systems Once you have configured your directory and one client system, you can configure subsequent client systems using the following steps. Modify any of these files as needed. 1. 2. Use swinstall to install LDAP-UX Client Services on the client system. This does not require rebooting the client system. Copy the following files from a configured client to the client being configured: • /etc/opt/ldapux/ldapux_client.
Download the Profile Periodically Setup allows you to define a time interval after which the current profile is being automatically refreshed. The start time for this periodic refresh is defined by the time the setup program was run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific time of day when the profile should be downloaded (refreshed). For more detailed information, refer to the ldapclientd(1) man page.
login login su su dtlogin dtlogin dtaction dtaction ftp ftp OTHER OTHER account account account account account account account account account account account account sufficient required sufficient required sufficient required sufficient required sufficient required sufficient required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_ldap.1 rcommand /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_ldap.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_ldap.
3 LDAP Printer Configurator Support This chapter contains information describing how LDAP-UX supports the printer configurator, how to set up the printer schema, and how to configure the printer configurator to control its behaviors. This chapter contains the following sections: • Overview (page 71). • How the LDAP Printer Configurator works (page 72). • Printer Configuration Parameters (page 73). • Printer Schema (page 74). • Managing the LP printer configuration (page 74).
NOTE: The LDAP printer configurator only supports the HP LP spooler system, remote printers, network printers and printerservers that support Line Printer Daemon (LPD) protocol. It does not support local printers.
NOTE: The system administrator manually adds or removes printers to the HP-UX system. The LDAP Printer Configurator will only add or remove printers that it has discovered in the LDAP directory according to the search filter defined for the printer.
Printer Schema The new printer schema, IETF, is used to create the printer objects that are relevant to the printer configurator services. The draft printer schema can be obtained from IETF web site at http://www.ietf.org. For the detailed structure information of the new printer schema, see Appendix C. You must import the new printer schema into the LDAP Directory Server to create new printer objects.
Example 2: IT department would like to store additional service information in the printer object. The administrator modifies the printer object by adding more printer attributes. The modified content of the printer object is shown as below: dn: printer-name=laser2,ou=printers,dc=hp,dc=com printer-name: laser2 printer-uri: lpd://hostA.cup.hp.
However, if the user attempts to remove the laser8 printer configuration manually, the printer configuration will no longer be managed by the printer configurator. The user has to recreate the printer configuration manually in case the laser8 printer is needed. The printer configurator does not try to create the printer configuration even though the printer object of laser8 still exists in the directory server.
4 Dynamic Group Support This chapter contains information about how LDAP-UX Client Services supports dynamic groups, how to set up dynamic groups, and how to enable or disable dynamic group caches.
1. 2. Use the Directory Server Console to create a dynamic group. See the “Step1: Creating a Dynamic Group” section for details. Add the posixgroup objectclass and gidNumber attribute information to the dynamic group entry created in step 1. See the “Step 2: Adding POSIX Attributes to a Dynamic Group” for details. Step 1: Creating a Dynamic Group You can use the Directory Server Console to create a dynamic group.
add: gidNumber gidNumber: 500 2. Use the ldapmodify tool to modify the existing entry with the LDIF file created in step 1. For example, the following command modifies the dynamic group entry in the LDAP directory server, ldaphost1, using the LDIF update file, new.ldif: ldapmodify —D “cn=Directory Manager" —w —h ldaphost1 —p 389 —f new.
Changing an HP-UX POSIX Static Group to a Dynamic Group To change an HP-UX POSIX static group to an HP-UX POSIX dynamic group, use the Directory Server Console to add the following objectclass and attribute information to the HP-UX POSIX static group: • • groupofurls objectclass memberURL attribute For detailed information on how to use the Directory Server Console to modify a group, refer to Red Hat Directory Server Administrator's Guide available at the following web site: http://docs.hp.
Specifying a Search Filter for a Dynamic Group Instead of using memberURL and groupofurls to specify dynamic groups, HP OpenView Select Access and HP-UX Select Access for IdMI define the following new attributes and objectclass to support dynamic groups: . • • • • • nxRole attribute nxSearchBaseDn attribute nxSearchFilter attribute nxSearchScope attribute nxRoleEntry objectclass Creating an HP-UX POSIX Dynamic Group Each dynamic group is configured with a search DN, search scope and search filter.
objectClass: nxRoleEntry objectClass: posixgroup objectClass: top nxSearchScope: sub nxSearchBaseDn: ou=Managing,dc=Example,dc=hp,dc=com nxRole: Austine Managers nxSearchFilter: (l=Austine) cn: AustMgrs gidNumber: 2000 NOTE: Unlike Netscape/Red Hat Directory dynamic groups, Select Access dynamic groups require non-standard objectclass and attributes. You cannot change existing POSIX static groups to Select Access POSIX dynamic groups without importing those objectclass and attributes.
name: uid number: .....
Number of Group Members Returned With dynamic membership support, as with regular (static) group membership support, the number of group members for a specific group returned by getgrnam()/getgrgid()/getgrent() on an HP-UX system is limited by internal buffer sizes. On HP-UX 11i v1 and v2 systems, the buffer size is 7296 bytes for 32bit applications and 10496 bytes for 64bit applications. This limitation is mainly impacted by the size of each member name.
Performance Impact for Dynamic Groups The dynamic group is specified by either an LDAP URL or a search filter. Depending on how you configure dynamic groups, potentially, there could be a lot of LDAP searches involved. In that case, the performance of those applications calling getgrnam(), getgrgid() or getgrent()(3C) (e.g. the command "id", "groups", etc) will be affected.
5 Administering LDAP-UX Client Services This chapter describes how to keep your clients running smoothly and expand your computing environment.
IMPORTANT: Starting with LDAP-UX Client Services B.03.20 or later, the client daemon, /opt/ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or earlier, running the client daemon, ldapclientd, is optional. ldapclientd Starting the client Use the following syntax to start the client daemon.
Diagnostics By default, errors are logged into syslog if the system log is enabled in the LDAP-UX client startup configuration file /etc/opt/ldapux/ldapux_client.conf. Errors occuring before ldapclientd forks into a daemon process leaves an error message directly on the screen. The following diagnostic messages may be issued: Message: Already running. Meaning: An attempt was made to start an LDAP Client Daemon when one was already running. Message: Cache daemon is not running (or running but not ready).
section Each section is configured by setting=value information underneath. The section name must be enclosed by brackets ("[ ]") as delimiters. Valid section names are: - [StartOnBoot] - [general] - [passwd] - [group] - [dynamic_group] - [netgroup] - [uiddn] - [domain_pwd] - [domain_grp] - [automount] -[automountMap] - [printers] setting value This will be different for each section. Depending on the setting, this can be .
The interval, in seconds, between the times when ldapclientd identifies and cleans up stale cache entries. The default value is 10. update_ldapux_conf_time=<10-2147483647> This determines how often, in seconds, ldapclientd re-reads the /etc/opt/ldapux/ldapux_client.conf client configuration file to download new domain profiles. The default value is 600 (10 minutes). cache_size=<102400-1073741823> The maximum number of bytes that should be cached by ldapclientd for all services except dynamic_group.
The time, in seconds, before a cache entry expires from the positive cache. Since personal data can change frequently, this value is typically smaller than some others. The default value is 120 (2 minutes) negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 240 (4 minutes). [group] Cache settings for the group cache (which caches name, gid and membership information).
new entries are not cached until enough expired entries are freed to allow it. The default value is 100000000 (10M). NOTE: The cache_size option defined in the [general] section is used to configure for all other caches (passwdm netgroup, group, outomount, domain_pwd, domain_grp, uiddn). [netgroup] Cache settings for the netgroup cache. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled.
[domain_grp] This cache maps group names and GUIDs to the domain holding its entry. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. Since new domains are rarely added to or removed from the forest, the cache is typically valid for a long time. The default value is 86400 (24 hours).
[printers] Any printer setting defined here will be used by the LDAP printer configurator. start= Determines if the printer configurator service will start when ldapclientd is initialized. If it is enabled, the printer configurator will start when ldapclientd is initialized. By default, the start parameter is enabled. search_interval=<1800-1209600> Defines the interval, in seconds, before the printer configurator performs a printer search in the directory server.
The coexistence of LDAP-UX and Trusted Mode supports certain security features, but also has limitations and usage requirements that you need to be aware of. For detailed information, see Features and Limitations (page 96). Features and Limitations This subsection describes features and limitations of integrating LDAP-UX with Trusted Mode. Auditing Integrating LDAP-UX with Trusted Mode enables accounts stored in the LDAP directory to login to a local host and to be audited on the Trusted Mode.
LDAP-based accounts. So, if the user eventually provides the correct password, he or she can login. PAM Configuration File • • If you integrate LDAP-UX Client Services with the Netscape/Red Hat Directory Server, you must define the pam_ldaplibrary before the pam_unix library in the /etc/pam.conf file for all services. You must set the control flag for both pam_ldap and pam_unit libraries to required under session management. Refer to Sample /etc/pam.ldap.
PAM_AUTHZ Login Authorization The Pluggable Authentication Module (PAM) is an industry standard authentication framework that is supplied as an integrated part of the HP-UX system. PAM gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The PAM framework also allows new authentication service modules to be plugged in and made available without modifying the PAM enabled applications.
Figure 5-1 PAM_AUTHZ Environment 1 policy configuration file pam enabled application 2 5 7 3 pam_authz ldap-ux client daemon ldapclientd 4 6 authentication modules, for examples: pam_kerberos pam_ldap /etc/group LDAP directory server /etc/netgroup The following describes the policy validation processed by PAM_AUTHZ for the user login authorization shown in figure 5-1:. PAM_AUTHZ Environment 1.
PAM_AUTHZ Supports Security Policy Enforcement PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP directory server. This feature works with SSH (Secure Shell), r-commands with rhost enabled where authentication is not performed via PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.
Policy File The system administrator can define a local access policy and store all defined access rules in the policy file, /etc/opt/ldapux/pam_authz.policy. The PAM_AUTHZ service module uses this local policy file to process the access rules and to control the login authorization. LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/pam_authz.policy.template. This sample file shows you how to configure the policy file to work with PAM_AUTHZ.
Policy Validator PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the access rules defined in pam_authz.policy. It validates and determines the user's login authorization based on the user's login name and the information it retrieves from various name services. The result is then returned to the PAM framework. PAM_AUTHZ processes access rules in the order they are defined in the pam_authz.policy.
Constructing an Access Rule in pam_authz.policy In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule consists of three fields as follows: ::
Table 5-1 Field Syntax in an Access Rule (continued)
Rules that have one of these specified as the field are defining a static list access rule. For this rule, the
Static List Access Rule When the value in the field is one of unix_user, unix_group, netgroup, ldap_group, the rule is evaluated using a list of predefined values in the
or groupOfUniqueNamesobjectclass. A list of ldap_group names is specified in the
Dynamic Variable Access Rule PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic variable is defined in
and the value is 1.2.3.200. If Mary attempts to log in to the host with the IP address, 1.2.3.200, then the access rule is evaluated to be true and this user is granted login access.
Security Policy Enforcement with Secure Shell (SSH) or r-commands PAM_AUTHZ has a limited ability to perform account and password security policy enforcement without requiring LDAP-based authentication.
function_name This field defines the function name in the specified that PAM_AUTHZ uses to evaluate certain security policy settings with the login user. The following describes the valid entries for this field: • • check_rhds_policy: If this option is specified, PAM_AUTHZ evaluates all the necessary account and password policies settings, stored in the Netscape/Red Hat Directory Server, for the login user.
Configuring PAM Configuration File If you want to use PAM_AUTHZ to support enforcement of account and password policies, stored in the Netscape/Red Hat Directory Server, you must define the pam_authz library and the rcommand option in the /etc/pam.conf file for the sshd and rcomds services under the account management section. In addition, the control flag for the pam_authz library must be set to required. See Appendix D, “Sample /etc/pam.
Directory Server Security Policies Global Security Attributes In the Netscape/Red Hat Directory Server, there are a number of attributes used to define the security policies. In order to support account and password security policy enforcement, PAM_AUTHZ is enhanced to support the global administrative security attributes listed in the table below. These attributes are used to define the policy rules and are all defined under cn=config. Only authorized users can access them.
Table 5-3 Security Policy Status Attributes (continued) 114 passwordExpirationTime This string attribute defines a date and time when a password is considered expired. The data and time are specified using the “Generalize Time” syntax as referenced in RFC 2252 and specified by the ISO x.208 standard. It uses the format YYYYMMDDHHMMSSTZ, where YYYY= 4 difit year, MM= 2 digit month, DD=2 digit day, HH=2 digit hour, MM=2 digit minute, SS=2 digit second and TZ=tme zone.
Adding One or More Users You can add one or more users to your system as follows: 1. Add the user's posixAccount entry to your LDAP directory. You can use your directory's administration tools, the ldapadd command, or the ldapentry tool to add a new user entry to your directory. If you are adding a large number of users, you could create a passwd file with those users and use the migration tools to add them to your directory.
Adding a Directory Replica Your LDAP directory contains configuration profiles downloaded by each client system and name service data accessed by each client system. As your environment grows, you may need to add a directory replica to your environment. LDAP-UX can take advantage of replica directory servers and the alternates if one of them fails. Follow these steps to inform LDAP-UX about multiple directory servers: 1. Create and configure your LDAP directory replica.
3. 4. Run /opt/ldapux/config/ldap_proxy_config -p to display the proxy user you just configured and confirm that it is correct. Run /opt/ldapux/config/ldap_proxy_config -v to verify the proxy user is working. Example For example, the following command configures the local client to use a proxy user DN of uid=proxy,ou=people,o=hp.com with a password of abcd1234: cd /opt/ldapux/config ./ldap_proxy_config -i uid=proxy,ou=people,o=hp.com abcd1234 The following command displays the current proxy user: .
Modifying a Profile You can modify an existing profile directly using your directory administration tools, for example with Netscape/Red Hat Console. See LDAP-UX Client Services Object Classes (page 185) for a complete description of the DUAConfigProfile object class, its attributes, and what values each attribute can have. The ldapentry tool can also be used to modify the existing profile.
3. Remove the proxy information: cd /opt/ldapux/config ./ldap_proxy_config -e 4. Optionally, remove the proxy user from the directory if you no longer need it. With Netscape/Red Hat Directory Server, you can use the Directory Server Console.
Performance Considerations This section lists some performance considerations for LDAP-UX Client Services. See the white paper LDAP-UX Integration Performance and Tuning Guidelines at: http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration for additional performance information. Minimizing Enumeration Requests Enumeration requests are directory queries that request all of a database, for example all users or all groups. Enumeration requests of large databases could reduce network and server performance.
that does not exist, every time a user displays information about this file, using the ls command, a request to the directory server will be generated. The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount map information. ldapclientd also maintains a cache which maps user's accounts to LDAP DNs. This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for defining membership of an HP-UX group.
NOTE: The ldapclientd -f command will flush all caches. Refer to the man page ldapclientd (1M) for more information. It is possible to alter the caching lifetime values for each service listed above, in the /etc/opt/ldapux/ldapclientd.conf file. See below for additional information. It is also possible to enable or disable a cache using the -E or -D (respectively) options. These options may be useful in determining the effectiveness of caching or helpful in debugging.
Troubleshooting This section describes troubleshooting techniques as well as problems you may encounter. Enabling and Disabling LDAP-UX Logging When something is behaving incorrectly, enabling logging is one way to examine the events that occur to determine where the problem is. Enable LDAP-UX Client Services logging on a particular client as follows: 1. 2. Edit the local startup file /etc/opt/ldapux/ldapux_client.
kill -HUP 'cat /var/run/syslog.pid' 4. 5. 6. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem. Restore the file /etc/syslog.conf to its previous state; otherwise, you may unintentionally enable logging in other applications. Restart the syslog daemon with the following command. (See syslogd(1M) for details.) kill -HUP 'cat /var/run/syslog.pid' 7. 8. Remove the "debug" options from /etc/pam.conf. Examine the log file at /var/adm/syslog/debug.
See below for an example of determining the user's bind DN. • Display the current configuration profile and check all the values to make sure they are as you expect: cd /opt/ldapux/config ./display_profile_cache In particular, check the values for the directory server host and port, the default search base DN, and the credential level.
./ldapsearch -h servername -b "o=hp.com" uid=username using the name of your directory server (from display_profile_cache), search base DN (from display_profile_cache), and a user name from the directory. You should get output similar to the previous example. If you don't, anonymous access may not be configured properly. Make sure you have access permissions set correctly for anonymous access.
6 Command and Tool Reference This chapter describes the commands and tools associated with the LDAP-UX Client Services.
Table 6-1 LDAP-UX Client Services Components (continued) Component Description /opt/ldapux/bin/ldifdiff Tool to generate LDIF change records from two input files. /etc/opt/ldapux/ldapclientd.conf The ldapclientd daemon configuration file. /opt/ldapux/bin/ldapclientd The ldapclientd daemon binary. /opt/ldapux/bin/ldappasswd Tool to modify user password in a directory. /opt/ldapux/bin/ldapschema Tool to query and extend directory server schema.
Table 6-3 LDAP-UX Client Services Libraries on the HP-UX 11i v2 PA machine Files Description /usr/lib/libldap_send.1 (32-bit ) LDAP -UX Client Services libraries. /usr/lib/libldap_util.1 (32-bit ) /usr/lib/libnss_ldap.1 (32-bit) /usr/lib/libldapci.1 (32-bit ) /usr/lib/libldap.1 (32-bit ) /usr/lib/security/libpam_ldap.1(32-bit ) /usr/lib/security/libpam_authz.1 (32-bit) /usr/lib/pa20_64/libldap.1 (64-bit) /usr/lib/pa20_64/libldap_send.1 (64-bit ) /usr/lib/pa20_64/libnss_ldap.
Client Management Tools This section describes the following programs for managing client systems. Most of these are called by the setup program when you configure a system. display_profile_cache create_profile_entry get_profile_entry ldap_proxy_config Displays the currently active profile. Creates a new profile in the directory. Downloads a profile from the directory to LDIF, and creates the profile cache. Configures a proxy user.
Syntax create_profile_schema The display_profile_cache Tool This tool, found in /opt/ldapux/config, displays information from a binary profile (cache) file. By default, it displays the currently active profile in /etc/opt/ldapux/ldapux_profile.bin. Syntax display_profile_cache [-i infile] [-o outfile] where infileis a binary profile file, /etc/opt/ldapux/ldapux_profile.bin by default, and outfileis the output file, stdout by default.
The ldap_proxy_config Tool This tool, found in /opt/ldapux/config, configures a proxy user or an Admin Proxy user for the client accessing the directory. It stores the encrypted proxy user information in the file/etc/opt/ldapux/pcred. The encrypted Admin Proxy user information is stored in the file /etc/opt/ldapux/acred. If you are using only anonymous access, you do not need to use this tool. You must run this tool logged in as root.
-h displays help on this command. With no options, ldap_proxy_config configures the proxy user as specified in the file /etc/opt/ldapux/pcred. For the proxy user, if you switch the authentication method between simple and DIGEST-MD5, you need to use the ldap_proxy_config -e command to delete /etc/opt/ldapux/pcred, then use the ldap_proxy_config -i command to reconfig the proxy user.
The following example configures the Admin Proxy as uid=adminproxy3,ou=special users,o=hp.com, UID adminproxy3 and password admin3pw and creates or updates the file /etc/opt/ldapux/acred with this information, the Admin Proxy user uses the SASL DIGEST-MD5 authentication and uses the UID to generate the DIGEST-MD5 hash: ldap_proxy_config -A -i uid=adminproxy3,ou=special users,o=hp.
LDAP Directory Tools This section briefly describes the ldapentry, ldappasswd, ldapsearch, ldapmodify and ldapdelete. For detailed information about ldapsearch, ldapmodify, and ldapdelete, refer to the Red Hat Directory Server for HP-UX Administrator's Guide available at http://docs.hp.com/en/ internet.html ldapentry ldapentry is a script tool that simplifies the task of adding, modifying and deleting entries in a Directory Server.
where -a -m -d Adds a new entry to the directory. Modifies an existing entry in the directory. Deletes an existing entry in the directory. options -f -v -b Forces command execution with warning override. Displays verbose information. Specifies the DN of the search/insert base which defines where ldapentry starts the search/insert for the entry. This option is optional if the LDAP_BASED variable is set. If specified, this option overwrites the LDAP_BASEDN variable setting.
NOTE: Although the ldapentry tool will allow the users to modify any information on the EDITOR window, the directory server has the final decision on accepting the modification. If the user makes an invalid LDIF syntax, violates the directory's schema or does not have the priviledge to perform the modificaiton, the ldapentry tool will report the error after the EDITOR window is closed when it tries to update the directory server with the information.
ldapsearch You use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. For detailed information, refer to the Red Hat Directory Server for HP-UX Configuration, Command, and File Reference available at the following web site: http://docs.hp.com/en/internet.
ldapmodify You use the ldapmodify command-line utility to add or modify entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and adds or modifies the entries based on the LDIF update statements contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do.
ldapdelete You use the ldapdelete command-line utility to delete entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, and deletes the entry or entries. For details, see the Red Hat Directory Server for HP-UX Administrator's Guide available at the following web site: http://docs.hp.com/en/internet.html Syntax ldapdelete [optional_options] where optional_options Specifies a series of command-line options.
Schema Extension Utility Overview A directory schema is a collection of attribute type definitions, object class definitions and other information supported by a directory server. Schema controls the type of data that can be stored in a directory server. Although there are some recommended schemas that came originally from the X.500 standards, mostly for representing individuals and organizations, there is no universal schema standard in place for every possible application.
Server schema with printer, public key and automount schemas. For Windows Active Directory Server, you will continue to run the setup tool to extend the directory server with the automount schema. Operations Performed by the Schema Extension Utility The schema extension utility, ldapschema, supports the following two modes of operation: 1.
server definition file, /etc/opt/ldapux/schema/schema-ads.xml, which contains a list of schema syntaxes that Windows Active Directory Server supports. If you choose to use the ldapschema tool with the directory server other than Netscape/Red Hat Directory Server or Windows Active Directory Server, and the LDAP directory server doesn't provide a list of supported matching rules and syntaxes as part of the directory server schema search.
ldapschema — The Schema Extension Tool The ldapschema utility allows schema developers to define LDAP schemas using a universal XML syntax, greatly simplifying the ability to support different directory server variations. It can be used to query the current status of the LDAP schema on the LDAP directory server, as well as extend the LDAP directory server schema with new attribute types and object classes.
Table 6-6 Reserved LDAPv3 Directory Servers (continued) -V ds_version Novell e-Directory Server eDirectory IBM Tivoli Directory Server ibm MAC OS X Directory Server mac Sun One Directory Server sun Computer Associates Directory Server ca iPlanet Directory Server iPlanet The version of the LDAP directory server. The strcasecmp() function compares the version specified by this –V option and the version defined in the XML files the ldapschema utility processes.
-h hostname -p -D -j -w-Z -ZZ -ZZZ -P path -3 -s- -m- -f -F Specifies the LDAP directory server host name or IP address. (Default: localhost) Specifies the LDAP directory server TCP port number. (Default: 389 for regular connections, 636 for SSL connections.) Specifies Distinguished Name (DN) of an administrator who has permissions to read and modify LDAP directory server schema. Specifies an administrator’s password in the file (for simple authentication).
Environment Variables The ldapschema utility supports the following environment variables: LDAP_BINDDN LDAP_BINCRED LDAP_HOST The Distinguished Name (DN) of an administrator who has permissions to read and modify LDAP directory server schema. The password for the privileged LDAP directory user. The host name of the LDAP directory server. The LDAP_HOST variable uses the “hostname:port” format. If the port is not specified, default port number is 389 for regular connections, or 636 for SSL connections.
Schema Definition File The ldapschema utility queries and extends LDAP directory server based on the XML schema definition file. When using the ldapschema tool, the schema argument used with the -q or -e option must correspond to the XML file containing the appropriate schema definition. Several predefined files (such as rfc3712.xml, rfc2256.xml, etc...) are stored in the /etc/opt/ldapux/schema directory. But the schema definition file can be stored in any directory with any file name.
A Sample RFC3712.xml File A sample rfc3712.xml file below defines two attribute types, printer-name and printer-aliases, followed by one object class, printerLPR, as specified in RFC3712: Line Line Line LINE Line Line Line Line Line Line LINe Line Line Line Line Line Line LIne Line Line Line LINe Line Line Line Line Line Line Line Line inee LINe Line Line Line Line Line Line Line Line 1: 2:
Defining Attribute Types Each attribute type definition, enclosed by tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one attribute type name must be specified. Do not use quotes around the name values.
Optional, use if an attribute type requires indexing. At most one indexed flag can be specified. Optional, use to specify any directory-specific information about the attribute type. See “Defining Directory Specific Information” (page 154) section for details.
Defining Object Classes Each object class definition, enclosed by the tags, can contain the following case-sensitive tags, in the order specified: 152 Command and Tool Reference Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one object class name must be specified.
Object Class Definition Requirements To add the new schema to the LDAP directory server, each object class definition must meet the following requirements: • • • • • • • • • • The object class definition contains a tag with one numeric id value which adheres to RFC 2252 format specification. The object class definition has at least one tag with the object class name. Each name must adhere to RFC 2252 format specification.
Defining Directory Specific Information Attribute type and object class definitions can be extended with directory-specific information using the tag. This is useful to maintain a single schema definition file for different types and versions of LDAP directory servers.
attributeSyntax = 2.5.5.12, oMSyntax=64. See “Mapping Unsupported Matching Rules and LDAP Syntaxes” (page 159) section for details.
An Example of Defining Directory Specific Information in the Object Class Definition Directory specific information can be specified in the object class definitions as well as in optional and mandatory attributes. The following is an example of the object class definition with directory specific information using the tag and XML attributes, not and only: Line Line Line Line Line Line Line Line Line Line 1: 2: 1.23.456.7.89101112.1.314.1.51.
LDAP Directory Server Definition File In order to properly install new attribute types in an LDAP directory server schema, the ldapschema utility needs to determine whether the LDAP server supports the matching rules and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs an LDAP search for supported matching rules and syntaxes on the LDAP server. However, some types of directory servers do not provide this information as part of the search.
Line 20: Lines 1-2 are required in every LDAP directory server definition file. LDAP syntax and matching rule definitions closely follow the format specified in RFC 2252. Values specified for all XML tags must not be quoted. Only the description field (enclosed by ... tages) can contain spaces. NOTE: Only LDAP syntaxes and matching rules fully supported by the LDAP directory server can be specified in this file.
Mapping Unsupported Matching Rules and LDAP Syntaxes If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them to alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ldapux/schema/map-rules.xml file which defines a list of default substitution matching rules and syntaxes, and alternate matching rules and syntaxes.
2.5.5.5 Active Directory IA5 String LDAP Syntax. 22 1.3.6.1.4.1.1466.115.121.1.15 Directory String syntax.
Return Values From ldapschema The ldapschema tool returns the following values: The operation is successful. 0 –1 The operation fails. In addition, ldapschema prints to STDOUT the overall status of the schema being queried or extended. Based on the schema status, any combination of the following messages is displayed. Detailed explanations of each message are specified in the square brackets following the message body text.
If the SCHEMA_INVALID message is not displayed, the schema definition in the file is valid. It partially exists on the LDAP server schema, and can be extended with any remaining new valid attribute type and object class definitions.] SCHEMA_EXISTS No changes to the LDAP server schema are needed. All attribute types and object classes defined in the file are already part of the LDAP directory server schema.
elements defined in the file cannot be added to the LDAP server schema unless the force flag ("-F" option) is specified. [The SCHEMA_MISMATCH message indicates one or more attribute types or object classes defined in the file are already installed on the LDAP directory server, however, their definitions do not match.
ATTRIB_INVALID Attribute type definition is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the file.] ATTRIB_INVALID Attribute type “ ” has an invalid numericoid. Edit the schema definition file to specify an RFC 2252 compliant value for this attribute type.
attribute types, or if it is used as a mandatory or optional attribute in any object classes. Edit the file to correct this discrepancy. ATTRIB_UNRESOLVED Super-type used in "” attribute type definition is not defined in any LDAP schema. [This message indicates the super-type specified with the tag in the given attribute type definition is undefined. Edit the file to correct the name of the super- type in the attribute type definition.
extend mode, the given attribute type will not be added to the LDAP directory server schema. This message is displayed in verbose mode only.] ATTRIB_MISMATCH ATTRIB_REJECTED Definition of attribute type “” is incompatible with the definition already installed in the LDAP server schema. attribute type “” will not be added to the LDAP server schema because it is already part of the LDAP schema.
definition must be defined either in the LDAP directory server schema or in the file before this object class can be installed.] OBJECT_UNRESOLVED Mandatory attribute used in the
RULE_INVALID Matching rule is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the /etc/opt/ldapux/schema/schema-ds_type.xml file, where ds_type corresponds to the same value specified with the -T option on the command line when executing the ldapschema utility.
SYNTAX_UNRESOLVED LDAP syntax "” used in the “” attribute type definition is not supported on the LDAP server. LDAP syntax “” will be used instead [This message indicates the specified syntax is not supported on the LDAP directory server. However, it was successfully mapped with a higher level (more inclusive) syntax supported by that server, , as specified in the /etc/opt/ldapux/schema/map-rules.xml file.
Name Service Migration Scripts This section describes the shell and perl scripts that can migrate your name service data either from source files or NIS maps to your LDAP directory. These scripts are found in /opt/ldapux/migrate. The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your source files or NIS maps, while the perl scripts migrate_passwd.pl, migrate_group.pl, migrate_hosts.pl, and so forth, migrate individual maps. The shell scripts call the perl scripts.
NOTE: The scripts use ldapmodify to add entries to your directory. If you are starting with an empty directory, it may be faster for you to use ldif2db or ns-slapd ldif2db with the LDIF file. See the Netscape Directory Server Administrator's Guide for details on ldif2db and ns-slapd. Migrating Individual Files The migration scripts shown below can be used to migrate the service data, groups, hosts, netgroup, services, protocols, rpc, passwd individually from each of your source files in /etc to LDIF.
Environment Variables When using the perl scripts to migrate individual files, you need to set the following environment variable: LDAP_BASEDN The base distinguished name where you want to put data in the LDAP directory. For example, the following command sets the base DN to "o=hp.com": export LDAP_BASEDN="o=hp.
export LDAP_BASEDN="o=hp.com" migrate_hosts.pl /etc/hosts /tmp/host.ldif dn: cn=hostA.hp.com,ou=Hosts,o=hp.com objectclass: ipHost objectclass: device objectclass: top ipHostNumber: 10.1.2.5 cn: HostA cn: HostA.hp.
Unsupported Contributed Tools and Scripts This section describes contributed tools and scripts which are not officially supported by HP at the present time. beq Search Tool The new beq tool expands the search capability beyond that currently offered by nsquery, which is limited to hosts, passwd, and group. This search utility bypasses the name service switch and queries the backend directly based on the specified library.
pw_audid..........(0) pw_audflg.........(0) 2. An example beq command using user name adm as the search key, pwd (password) as the service, and files as the library is shown below: ./beq -k n -s pwd -l /usr/lib/libnss_files.1 adm nss_status .............. NSS_SUCCESS pw_name...........(adm) pw_passwd.........(*) pw_uid............(4) pw_gid............(4) pw_age............() pw_comment........() pw_gecos..........() pw_dir............(/var/adm) pw_shell..........(sbin/sh) pw_audid..........(0) pw_audflg.
gr_mem (iuser1) certutil — Certificate Database Tool You can use the certutil command-line utility to create and modify the Netscape Communicator cert7.db and key3.db database files. This tool can also list, generate, modify, or delete certificates within the cert7.db file. You can also use this tool to create, change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.
7 User Tasks This chapter describes the following tasks your users will need to do: • To Change Passwords (page 177) • To Change Personal Information (page 178) To Change Passwords With LDAP-UX Client Services, users change their password with the passwd(1) command. Depending on how you have PAM configured and depending on where the user's information is, in the directory or in /etc/passwd, users may get prompted for their password twice as PAM looks in the configured locations for the user's information.
Figure 7-2 Changing Passwords on Master Server with ldappasswd Master LDAP Directory Server Updates Replica LDAP Directory Server passwd(1) can modify master LDAP server LDAP-UX Clients 1-50 LDAP-UX Clients 51-100 ldappasswd(1) can modify the master LDAP server See ldappasswd (page 137) for details of this command. Figure 7-3 Sample passwd Command Wrapper #!/usr/bin/ksh # # You can put a default master LDAP server host name # here. Otherwise the local host is the default.
8 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. This chapter contains the following sections: • • Overview (page 179). The Mozilla LDAP C SDK File Components (page 179) briefly describes many of files that comprise the LDAP C SDK. Overview The LDAP-UX Client Services provides the Mozilla LDAP C SDK 5.17.1 support.
Table 8-1 Mozilla LDAP C SDK File Components on the PA machine (continued) Files Description /usr/include/* Include files from LDAP C SDK /opt/ldapux/contrib/bin/certutil Unsupported command tool that creates and modifies the certificate database files, cert8.db and key3.db. /opt/ldapux/contrib/ldapsdk/examples Unsupported Netscape LDAP C SDK examples. /opt/ldapux/contrib/ldapsdk/source.tar.gz Mozilla LDAP C SDK source (for license compliance).
Table 8-2 Mozilla LDAP C SDK File Components on the IA machine Files Description /usr/lib/hpux32/libldap.so (32-bit ) /usr/lib/hpux64/libldap.so (64-bit ) Main LDAP C SDK API libraries that link to the /opt/ldapux/lib libraries. /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) LDAP C SDK dependency libraries. /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.
Table 8-3 Mozilla LDAP C SDK API Header Files Header Files Description /usr/include/ldap.h Main LDAP functions, structures and defines. /usr/include/ldap-extension.h Support for LDAP v3 extended operations, controls and other server specific features. This file must be included in source code that uses LDAP v3 extended operations or controls. /usr/include/ldap_ssl.h Support for creation of SSL connections. This file must be included in source code that requires SSL connections.
A Configuration Worksheet Use this worksheet to help you configure LDAP-UX Client Services. See Installing And Configuring LDAP-UX Client Services (page 21) for details.
B LDAP-UX Client Services Object Classes This Appendix describes the object classes LDAP-UX Client Services uses for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: 1. posixDUAProfile 2. posixNamingProfile With release B.03.00, the posixDUAProfile and posixNamingProfile objectlcasses have been replaced by a single STRUCTURAL objectclass DUAConfigProfile. In addition, four new attributes are added.
NOTE: The userPassword attribute is mapped to *NULL* to prevent passwords from being returned for increased security and to prevent PAM_UNIX from authenticating users in the LDAP directory. Mapping to *NULL* or any other nonexistent attribute means do not return anything.
typically the object class. Each service can have up to three custom search descriptors. For example, the following defines a search descriptor for the passwd service specifying a baseDN of ou=people,ou=unix,o=hp.com, a search scope of sub, and a search filter of the posixAccount object class. passwd:ou=people,ou=unix,o=hp.
C Sample /etc/pam.ldap.trusted file This Appendix provides the sample PAM configuration file, /etc/pam.ldap.trusted, used as the /etc/pam.conf file to support the coexistence of LDAP-UX and Trusted Mode. This /etc/pam.ldap.trusted file must be used as the /etc/pam.conf file if your directory server is the Netscape/Red Hat Directory Server and your LDAP client is in the Trusted Mode. If your system is in a standard mode, you still need to use the/etc/pam.ldapfile as the /etc/pam.conffile.
dtlogin dtlogin dtaction dtaction OTHER OTHER # Password login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER OTHER session required session required session required session required session required session required management # password.sufficient password required password sufficient password required password sufficient password required password sufficient password required password sufficient password required /usr/lib/security/libpam_ldap.1 /usr/lib/security/libpam_unix.
dtaction auth required dtaction auth sufficient dtaction auth required ftp auth required ftp auth sufficient ftp auth required rcomds auth required rcomds auth sufficient rcomds auth required sshd auth required sshd auth sufficient sshd auth required OTHER auth sufficient OTHER auth required # Account management # login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin acc
login login login passwd passwd passwd dtlogin dtlogin dtlogin sshd sshd sshd OTHER OTHER 192 password password password password password password password password password password password password password password Sample /etc/pam.ldap.trusted file required sufficient required required sufficient required required sufficient required required sufficient required sufficient required libpam_hpsec.so.1 libpam_ldap.so.1 libpam_unix.so.1 try_first_pass libpam_hpsec.so.1 libpam_ldap.1 libpam_unix.so.
D Sample /etc/pam.conf File for Security Policy Enforcement This Appendix provides the sample PAM configuration file, /etc/pam.conf file to support account and password policy enforcement for Secure Shell (SSH) key-pair or r-commands. In the /etc/pam.conf file, the pam_authz library must be configured for the sshd and rcommds services under account management role. The following is a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v1 system: # # PAM configuration # # This pam.
login dtlogin dtlogin dtaction dtaction sshd sshd OTHER OTHER # Password login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER OTHER session required session sufficient session required session sufficient session required session sufficient session required session sufficient session required management # password.
OTHER auth sufficient OTHER auth required # Account management # login account required login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account sufficient ftp account required rcomds account required rcomds account required rcomds account suffic
sshd OTHER OTHER 196 password required password sufficient password required libpam_ldap.so.1 try_first_pass libpam_unix.so.1 libpam_ldap.so.1 try_first_pass Sample /etc/pam.
Glossary See also the Glossary in the Netscape Directory Server for HP-UX Administrator's Guide available at http://docs.hp.com/hpux/internet. Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction. Configuration profile An entry in an LDAP directory containing information common to many clients, that allows clients to access user, group and other information in the directory.
ypldapd The NIS/LDAP Gateway daemon, part of the NIS/LDAP Gateway subproduct. ypldapd replaces the NIS ypserv daemon by accepting NIS client requests and getting the requested information from an LDAP directory rather than from NIS maps. See Installing and Administering NIS/LDAP Gateway at http://docs.hp.
Index Symbols /etc/group, 23, 29 /etc/nsswitch.conf, 27, 33 /etc/nsswitch.ldap, 27, 127 /etc/pam.conf, 33 /etc/pam.
H O homedirectory, 29, 126 o=hp.
S worksheet, configuration, 21, 183 schema, posix, RFC 2307, 23, 29, 34, 197 search time limit, 39 searchTimeLimit, 186 serviceSearchDescriptor, 186 setup program, 22, 34, 117, 127, 180, 181, 182 slapd-v3.nis.conf, 29 SSH, 100, 110 start-up file ldapux_client.
