LDAP-UX Client Services B.04.
© Copyright 2007 Hewlett-Packard Development Company, LP Legal Notice Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. © 2003 Hewlett-Packard Development Company, L.P.
Table of Contents Preface..............................................................................................................................15 About This Document...........................................................................................................................15 Intended Audience..........................................................................................................................15 New and Changed Documentation in This Edition..........................
3 Active Directory Multiple Domains.............................................................................57 Domain Term Definitions.....................................................................................................................57 Multiple Domains............................................................................................................................57 Local Domains..................................................................................................
Printer Attributes.............................................................................................................................76 Default Printer Attributes..........................................................................................................76 Printer Attribute Mappings........................................................................................................76 Managing the LP printer configuration.............................................................
Changing Authentication methods...............................................................................................105 PAM_AUTHZ Login Authorization ..................................................................................................106 Policy And Access Rules................................................................................................................106 How Login Authorization Works..................................................................................
9 Mozilla LDAP C SDK.................................................................................................135 Overview.............................................................................................................................................135 The Mozilla LDAP C SDK File Components......................................................................................135 A Configuration Worksheet....................................................................................
Examples..................................................................................................................................163 An Example for Querying the Schema Status....................................................................163 An Example for Extending the New Schema into the Directory Server ............................163 Schema Definition File...................................................................................................................164 A Sample RFC3712.
G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode...............................201 H Sample PAM Configuration File for Security Policy Enforcement.........................203 Glossary.........................................................................................................................207 Index...............................................................................................................................
List of Figures 1-1 1-2 1-3 1-4 2-1 2-2 5-1 7-1 7-2 A Simplified NIS Environment.....................................................................................................19 A Simplified LDAP-UX Client Services Environment..................................................................20 HP-UX Client Login Sequence with Windows 2000 (SFU 2.0)......................................................21 The Local Start-up File and the Configuration Profile.............................................
List of Tables 1 Publishing History Details.................................................................................................................15 1-1 Examples of Commands that use PAM and NSS..........................................................................21 4-1 Migration Scripts...........................................................................................................................68 5-1 Attribute Mappings..............................................................
Preface About This Document This document describes the installation and administration tasks of LDAP-UX Client Services with Microsoft Windows 2000, 2003 or 2003 R2 Active Directory. Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing LDAP-UX Client Services with Microsoft Windows 2000, 2003 or 2003 R2 Active Directory Server.
Table 1 Publishing History Details (continued) Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date J4269-90049 11i v1 and v2 B.04.00 July 2005 J4269-90064 11i v1 and v2 B.04.10 December 2006 J4269-90074 11i v1, v2 and v3 B.04.10 April 2007 What's in This Document LDAP-UX Client Services B.04.
Variable [] {} ... | The name of a variable that you may replace in a command or function or information in a display that represents several possible values. The contents are optional in formats and command descriptions. If the contents are a list separated by |, you must choose one of the items. The contents are required in formats and command descriptions. If the contents are a list separated by |, you must choose one of the items. The preceding element may be repeated an arbitrary number of times.
1 Introduction LDAP-UX Client Services simplifies HP-UX system administration by consolidating account and configuration information into a central LDAP directory. This LDAP directory can reside on an HP-UX system, such as Netscape Directory Server 6.x and Red hat Directory Server 7.0/7.1, or the account information could be integrated into Microsoft Windows 2000, 2003 or 2003 R2 Active Directory.
Figure 1-2 A Simplified LDAP-UX Client Services Environment Active Directory Domain Controller Replicates Active Directory Domain Controller Replicates LDAP Requests LDAP-UX client LDAP-UX client LDAP-UX Client Services for Microsoft Windows 2000, 2003 or 2003 R2 Active Directory supports the passwd and group name service data. Refer to the LDAP-UX Integration B.04.10 Release Notes for any additional supported services.
Figure 1-3 HP-UX Client Login Sequence with Windows 2000 (SFU 2.0) HP-UX Client Windows 2000 Server Login PAM Library PAM Kerberos Kerberos Services Active Directory NSS Engine msSFUName: bobj NSS_ LDAP cn: Bob Jolly msSFUHomeDirectory:/home/bobj uidnumbr: 208 gidnumbr: 20 loginshell: /usr/bin/ksh With LDAP-UX Client Services, HP-UX commands and subsystems can transparently access name service information from the Active Directory through PAM and NSS.
1 2 nsquery(1) is a contributed tool included with the ONC/NFS product. These commands enumerate the entire passwd or group database, which may reduce network and directory server performance for large databases. After you install and configure the Active Directory and migrate your name service data into it, HP-UX client systems locate the directory from a start-up file. The start-up file tells the client system how to download a configuration profile from the Active Directory.
2 Installing LDAP-UX Client Services This section describes the decisions you need to make and the steps to install and configure LDAP-UX Client Services.
7. Run the setup program to configure LDAP-UX Client Services on a client system. Setup does the following for you: • Extends your Active Directory schema with the configuration profile schema, if not already done. • Creates a start-up file on the client. This enables each client to download the configuration profile. • Creates a configuration profile of directory access information in the directory, to be shared by a group of (or possibly all) clients.
The specific number of domain controllers necessary in your network depends on the network size and configuration. A minimum of two Active Directory domain controllers are recommended for each domain. For more information, refer to the Active Directory documentation, or to http://www.microsoft.com/Windows2000 and http://windowsupdate.microsoft.com.
For information about importing information into the directory, refer to “Importing Name Service Data into Your Directory” (page 35). For information on migration scripts, refer to “Command, Tool, Schema Extension Utility, and Migration Script Reference” (page 145). CAUTION: If a root login is placed in the Active Directory, that user and password will be able to log in as root to any client using LDAP-UX Client Services.
Figure 2-2 Example Directory Structure for Multiple Domains DC=cup, DC=hp, DC=com CN=Configuration profile data CN=Users user data group data DC=,DC=cup,DC=hp, DC=com DC=,DC=cup, CN=Configuration CN=Configuration profile data CN=Users user group data data DC=hp, DC=com CN=Users user group data data profile data NOTE: By default, the CN=configuration, DC=cup, DC=hp, DC=com configuration container only exists in the root domain.
• What authentication method will you use when you choose to enable TLS? You have a choice between SIMPLE (the default), or SASL GSSAPI with TLS. LDAP-UX Client Services includes support for the SASL Generic Security Services Application Programming Interface (GSSAPI) authentication method using Kerberos v5. Currently, Kerberos v5 is the only security mechanism that is implemented to work with GSSAPI.
with LDAP-UX Client Services B.04.00, pam_authz has been enhanced to allow system administrators to configure and customize their local access rules in a local policy file, /etc/opt/ldapux/pam_authz.policy. pam_authz uses these access control rules defined in the local policy file to control the login authorization. Because pam_authz doesn't provide authentication, it doesn't verify if a user account exists. If the /etc/opt/ldapux/pam_authz.
Installing LDAP-UX Client Services on a Client These are the major steps required to install LDAP-UX Client Services on a client: 1. Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproducts, on a client system. See the LDAP-UX Integration Release Notes for any last-minute changes to this procedure. You don't need to reboot your system after installing the product. NOTE: For LDAP-UX Cleint Services B.03.
The Active Directory must be installed separately after the Windows 2003 Server installation has been completed on your computer. Use the following steps to install the Acitve Directory Server on the Windows 2003: 1. 2. 3. 4. The Prelimary Steps screen is displayed, select Configure Your Server Wizard. The Server Role screen is displayed, select Domain Controller (Active Directory), then click Next buttom. Install any additional Administrative tools required for you to manage Active Directory.
CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com CAUTION: Make sure the proxy user is a member of the Domain Users group, which allows read access only, and not the Administrator group to protect Active Directory entries from malicious modifications. A proxy user's access right to objects in an Active Directory depends on what default permissions Active Directory has been configured with during installation.
You are prompted to select permissions. Select Property-specific and the following permissions: ◦ ◦ ◦ Read msSFU30GidNumber Read msSFU30MemberUid Read msSFU30Name then click Next For R2's RFC2307: You are prompted to select permissions. Select Property-specific and the following permissions: ◦ ◦ Read gidNumber Read memberUid then click Next 10. You are given the screen which confirms your configuration, click on "finish" if everything is correct, otherwise, click "Back" to change. 11.
The proxy user needs to have access right to read passwd and group information in multiple domains. Step 4: Add an HP-UX Client Machine Account to Active Directory Use the Active Directory Users and Computer tool to create a user account for your HP-UX host. • If you are using ADS multiple domains: add a host account for HP-UX client machine to every domain you want to access.
Importing Name Service Data into Your Directory The next step is to import your user, group, and other services data into your Active Directory. When planning to import your data, consider the following: • • If you have already imported data into your Active directory with the SFU 2.0 Server for NIS migration tool, LDAP-UX Client Services can use that data and you can skip to “Configuring LDAP-UX Client Services” (page 36).
Configuring LDAP-UX Client Services To configure the LDAP-UX Client Services, complete the steps in this section. If you attempt to enable SSL or TLS support with LDAP-UX, you must configure the LDAP directory server to support SSL or TLS and install the security database (cert7.db or cert8.db and key3.db) on your client before you run the setup program. For SSL or TLS setup details, refer to “Configuring the LDAP-UX Client Services with SSL or TLS Support” (page 49).
The setup program asks you a series of questions and usually provides default answers. Press the Enter key to accept the default, or change the value and press the Enter key. At any point during setup, press the Control-b keys to return to the previous screen or press the Control-c keys to exit setup. 2. 3. 4. 5. Choose Windows 2000, 2003 or 2003 R2 as your LDAP directory server (option 2).
12. Next, it will prompt you for selecting the authentication method for users to bind/authenticate to the server. You need to choose the authentication method from one of the following prompts based on your selection in step 11: • For TLS, you have a choice between SIMPLE (the default), or SASL GSSAPI if you choose to not enable TLS. However, you have a choice between SIMPLE with TLS (the default), or SASL GSSAPI with TLS if you choose to enable TLS. Skip to step 13.
22. Enter the Profile Time To Live (TTL) value. This value defines the time interval between automatic downloads (refreshes) of new configuration profiles from the directory. Automatic refreshing ensures that the client is always configured using the newest configuration profile. If you want to disable automatic refresh or manually control when the refresh occurs, enter a value of 0. Refer to “Downloading the Profile Periodically” (page 55) 23.
NOTE: The default search base DN for all requests will be set to the previously specified default search base DN (specified in step 12), usually the domain root. For very large databases, search performance can be greatly increased by specifying custom search descriptors. For example, to search user and group information, set the search base DN for the user and group services to CN=Users, DC=cup, DC=hp, DC=com.
Search filter [(objectclass=printerlpr)]: (objectclass=printQueue) 25. Enter Yes to the question Are you ready to create the Profile Entry?, then press any key to continue. 26. At this point, you will choose whether or not to configure for Multiple Domains.
Remapping Attributes for Services This section describes detailed procedures on how to perform attribute mappings for dynamic group, LDAP printer configurator and X.500 group membership services. Attribute Mappings for LDAP Printer Configurator Support The default printer attributes, printer-name and printer-uri, are not defined in the Windows Active Directory Server. You need to define the alternate printer attributes and map them to printer-name and printer-uri respectively.
You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0 Attribute Mappings for Dynamic Group Support To enable dynamic group support, you must remap the default group member attribute, memberuid, to msDS-AzLDAPQuery (for Windows Active Directory Server). For detailed information about dynamic group support, see “Dynamic Group Support” (page 81).
1. Type yes for the following question: Do you want to remap any of the startdard RFC 2307 attributes? [yes]: yes 2. Select the group service by entering 3 for the following question and press the return key: Specify the service you want to map? [0]: 3 3. Enter 3 for the following question and press the return key: Specify the attribute you want to map? [0]: 3 4. Enter the attributes you want to map to the member attribute: [memberuid]: member NOTE: LDAP-UX supports DN-based (X.
Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos 1. Create /etc/krb5.conf, the Kerberos configuration file which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm's KDC. The following is an example of /etc/krb5.conf which has the realm CUP.HP.COM, and machine myhost.cup.hp.comas KDC: default_realm = CUP.HP.
NOTE: 5. 6. The keytab file should only be readable by the root user. Synchronize the HP-UX clock to the Windows 2000 or 2003 clock. These must be synchronized within two minutes. You can run Network Time Synchronizer to synchronize both clocks. If the tool is not available, you can manually synchronize them by setting "Date/Time Properties" on Windows 2000 or 2003 and running /etc/set_parms date_time on HP-UX. Configure /etc/pam.
1. Use the nsquery(1) command to test the name service: nsquery lookup_type lookup_query [lookup_policy] For example, to test the name service switch to resolve a username lookup, enter: nsquery passwd username ldap where usernameis the login name of a valid user whose POSIX account information is in the directory. You should see output something like the following depending on how you have configured /etc/nsswitch.conf: Using "ldap" for the passwd policy.
Refer to "beq Search Tool" in “Command, Tool, Schema Extension Utility, and Migration Script Reference” (page 145) for command syntax and examples. 5. 6. Log in to the client system from another system using rlogin or telnet. Log in as a user in the directory and as a user in /etc/passwd to make sure both work. Optionally, test your pam_authz authorization configuration: If the pam_authz is configured without the pam_authz.policy file, verify the followings: a. b.
1. 2. 3. Use swinstall to install LDAP-UX Client Services on the client system. This requires rebooting the client system. Copy the following files from a configured client to the client being configured: • /etc/opt/ldapux/ldapux_client.conf • /etc/opt/ldapux/pcred only if you have configured a proxy user, not if you are using only anonymous access • /etc/pam.conf • /etc/nsswitch.conf • cert7.db or cert8.db and key3.
The LDAP-UX Client Services supports Microsoft Windows 2003 or 2003 R2 Active Directory Server (ADS), Netscape Directory Server (NDS) 6.x and Red Hat Directory Server 7.0/7.1 over TLS. Configuration Parameters LDAP-UX Client Services provides the following parameter in the /etc/opt/ldapux/ldapux_client.conf file to support TLS. enable_starttls This integer variable controls whether the TLS feature is enabled or disabled. The valid values of this parameter are 1 and 0.
7. 8. 9. 10. 11. 12. 13. Click the Next button in the window box which prompts that a CA certifies the identity of . By accepting the CA, you will allow Netscape Communicator to connect to and receive information from any site that it certifies without prompting you or warning you. Click the Next button in the window box which prompts that here is the certificate for this CA. Examine it carefully. The Certificate Fingeprint can be used to verify that this authority is who they say they are.
-r-------- 1 root sys 65536 Jun 14 16:27 /etc/opt/ldapux/cert8.db -r-------- 1 root sys 32768 Jun 14 16:27 /etc/opt/ldapux/key3.db NOTE: For the multiple domain environment, you just need to download the certificate database files, cert7.db or cert8.db and key3.db, from one domain, no additional action is required. NOTE: You may use the unsupported /opt/ldapux/contrib/bin/certutil command line tool to create the certificate database files, cert8.db and key3.db.
NOTE: The -t "C,," represents the minimum trust attributes that may be assigned to the CA certificate for LDAP-UX to successfully use SSL or TLS to connect to the LDAP directory server. If you have other applications that use the CA certificate for other functions, then you may wish to assign additional trust flags. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html for additional information.
If you want to configure the CNCERT validation level with the peer_cert_policy parameter, you must manually execute the following configuration steps: 1. 2. Update the preferredserverlist setting in the profile to contain the host name of the LDAP server such that it matches the host name specified in the LDAP server’s certificate. See the “Modifying perferredserverList in the LDAP-UX Profile” section for details.
Downloading the Profile Periodically The product setup program, /opt/ldapux/setup, allows you to define a time interval after which the current profiles are being automatically refreshed. The start time for this periodic refresh is defined by the time the setup program was run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific time of day when the profiles should be downloaded (refreshed). NOTE: Starting with the B.03.
3 Active Directory Multiple Domains This chapter contains information specific to multiple domains. If you do not store and group information in multiple domains, you can skip this chapter. The following topics are included in this chapter: • • • • • • • “Domain Term Definitions” (page 57) “Retrieving Data from a Remote Domain” (page 57) “Downloading an Automatic Profile” (page 58) “Understanding the ldapux_client.
a remote domain sequence. When LDAP-UX does not find data in the local domain, all remote domains are searched in the specified order until the data is found. • GCS This method allows you to configure LDAP-UX to search the GCS first. If you are not sure in which domains the data resides, you can configure LDAP-UX to search the GCS first to determine in which domain the requested data resides, then connect to that specific domain controller to retrieve complete POSIX information.
the server. In the B.03.
PROFILE_ENTRY_DN="cn=globalprofile,CN=Configuration,DC=la,DC=ca, DC=com" PROGRAM="/opt/ldapux/config/create_profile_cache -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.gc -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.gc The contents of this file are created as you run the setup tool.
Assume the user account jimmy resides in domainA, domainB, and domainC simultaneously: • • • • If domain A is the local domain, jimmy in domainA will log into HP-UX client. If all three domains are remote domains, and are configured in the sequence: domainB, domainC, domainA, then jimmy in domainB, the first domain in the configuration, will log into HP-UX client.
Removing the GCS from the Search Scope To remove the GCS from the search scope, either run setup to re-configure, or manually edit /etc/opt/ldapux/ldapux_client.conf to remove the gc section, its corresponding profiles (/etc/opt/ldapux/domain_profiles/ldapux_profile.bin.gc and ldapux_profile.ldif.gc), and all entries to the end of the file. Restart the client daemon for the change to take effect.
• The following name service databases are supported in a single domain: — hosts — protocols — networks — rpc — services • Data enumeration is not supported with ADS multiple domains. The getXXent() APIs only enumerate data located in the local domain. Limitations of Multiple Domains in Version B.03.
4 LDAP-UX Client Services with AutoFS Support This chapter contains information describing how LDAP-UX supports automount service, how to set up the automount schema, and how to configure the automount service to use this functionality. This chapter contains the following sections: • • • • Overview Automount Schemas Configuring Automount Caches AutoFS Migration Scripts Overview AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them.
DESC 'Automount' SUP top STRUCTURAL MUST ( automountKey & automountInformation & cn ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName DESC 'automountMapName' EQUALITY caseExactIA5Match SYNTAX 2.5.5.5 SINGLE-VALUE X-ORIGIN 'user defined') attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'AutomountKey' EQUALITY caseExactIA5Match SYNTAX 2.5.5.5 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.
Configuring Name Service Switch Configure the Name Service Switch (NSS) to enable the LDAP support for AutoFS. You can save a copy of /etc/nsswitch.conf file and modify the original to add LDAP support to the automount service. See /etc/nsswitch.ldap for a sample. The following shows the sample file, /etc/nsswitch.
AutoFS Migration Scripts This section describes the migration scripts which can be used to migrate your AutoFS maps from files to LDIF files. After LDIF files are created, you can use the ldapmodify tool to import LDIF files to your LDAP directory server. These migration scripts use the new automount schema defined in RFC 2307-bis to migrate the AutoFS maps to LDIF. You need to import the new automount schema into your LDAP directory server before you use these migration scripts to migrate AutoFS maps.
General Syntax For Migration Scripts The migration scripts use the following general syntax: scriptname inputfile outfile where scriptname inputfile outputfile Is the name of the particular script you are using. Is the fully qualified file name of the appropriate AutoFS map that you want to migrate. For example, /etc/auto_master. This is optional and is the name of the file where the LDIF is written. stdout is the default output. The migrate_automount_ads.
the following command imports the /tmp/auto_direct.ldif file to the LDAP base DN "dc=nishpind" in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager" \ -w -f /tmp/auto_direct.
You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/auto_indirect.ldif that you just created above into the LDAP directory. For example, the following command imports the /tmp/auto_indirect.ldif file to the LDAP base DN "dc=nisserv1" in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager" \ -w -f /tmp/auto_indirect.
5 LDAP Printer Configurator Support This chapter contains information describing how LDAP-UX supports the printer configurator, and how to configure the printer configurator to control its behaviors. This chapter contains the following sections: • Overview (page 73). • How the LDAP Printer Configurator works (page 74). • Printer Configuration Parameters (page 76). • Printer Schema and Attributes (page 76). • Managing the LP printer configuration (page 78). • Limitations of Printer Configurator (page 79).
How the LDAP Printer Configurator works The Printer Configurator is a service daemon which provides the following functions: • • • • • Periodically searches the existing printer entries stored in LDAP Directory Server Compares the search result with the master printer record file on each scheduled ldapsearch Adds the print configuration to client system for each new printer Deletes the printer from the client system for each removed printer Updates master printer record file When ldapclientd is initialize
Printer Configurator Architecture Figure 5–1 shows printer configurator architecture. As an example, this figure uses the alternate printer attributes, printerbyname and printer-resource. The printerbyname attribute specifies the local printer name. The printer-resource attribute provides the remote host name and remote printer name.
Printer Configuration Parameters The LDAP-UX Client Services provides four printer configuration parameters, start, search_interval, max_printers and lpadmin_option available for you to customize and control the behaviors of the printer configurator. These parameters are defined in the ldapclientd.conf file. See the “ldapcliend.conf Configuration File” section in the Chapter 7 (page 91) for details.
Using the Existing Printer Attributes You can use the existing printer attributes provided by Windows ADS schema to define alternate printer attributes which can be remapped to printer-name and printer-uri respectively. For example, the existing printer attributes, printerbinname and printer-color, are defined and mapped to printer-name and printer-uri respectively as shown in Table 5–2.
Managing the LP printer configuration The LDAP-UX Client Services provide the printer configurator integration; the product daemon automatically updates the remote LP printer configuration of a client system based on the available printer objects in the ADS Directory Server. The printer configurator provides the printer configuration management; it verifies if the printer configuration has any conflict with the LP printer configurations in the client system before it actually adds or deletes a printer.
Example 4: The remote LP printer, laser2, no longer supports LPD printing protocol. IPP printing protocol is implemented instead. The administrator updated the printer object by changing the printing protocol to IPP. The following shows the updated printer objects in the directory server: dn: printer-name=laser2,ou=printers,dc=hp,dc=com printerbyname: laser2 printer-resource: ipp://hostC.hp.
6 Dynamic Group Support This chapter contains information about how LDAP-UX Client Services supports dynamic groups, how to set up dynamic groups, and how to enable or disable dynamic group caches.
1. 2. 3. Use Authorization Manager to create dynamic groups. See the “Step 1: Creating a Dynamic Group (LDAP Query Group)” section for details. Use ADSI Edit to add the POSIX group ID to the dynamic group entry created in step 1. See the “Step 2: Add POSIX Attributes to a Dynamic Group” section for details. Configure the proxy user the read permissions to search dynamic groups in Windows ADS. See the “Step 3: Setting Read Permissions for the Proxy user” section for details.
description: my dynamic group distinguishedName: CN=group1,CN=AzGroupObjectContainer-dyngroup,CN=dyngroup,DC=hp,DC=com instanceType: 4 whenCreated: 20060313181428.0Z whenChanged: 20060313182629.
Step 3: Setting Read Permissions for the Proxy User The LDAP query groups (dynamic groups) created by Authorization Manager are not placed under the CN=Users container. Authorization Manager creates its own authorization store objects (for example, CN=dyngroup). By default, a regular user is not allowed to read LDAP entries under those authorization store objects.
LDAP-UX retrieves group members and processes groups that a specific user belongs to by looking into all configured attributes. An LDAP query group specifies dynamic members using a search filter. LDAP-UX uses the search base and search scope of the passwd service from the profile, and combines the search filter of the passwd service from the profile with the search filter specified by msDS-AzLDAPQuery to retrieve group members.
The attribute mappings are done in step 23 of “Step1: Run the Setup Program” in the “Configuring LDAP-UX Client Services” section. For detailed information on how to remap group attributes, see “Step 1: Run the Setup Program” (page 36) in the “Configuring LDAP-UX Client Services” section.
Number of Group Members Returned With dynamic membership support, as with regular (static) group membership support, the number of group members for a specific group returned by getgrnam()/getgrgid()/getgrent() on an HP-UX system is limited by internal buffer sizes. On HP-UX 11i v1 and v2 systems, the buffer size is 7296 bytes for 32bit applications and 10496 bytes for 64bit applications. This limitation is mainly impacted by the size of each member name.
Performance Impact for Dynamic Groups The dynamic group is specified by a search filter. Depending on how you configure dynamic groups, potentially, there could be a lot of LDAP searches involved. In that case, the performance of those applications calling getgrnam(), getgrgid() or getgrent()(3C) (e.g. the command "id", "groups", etc) will be affected.
Dynamic Group with Active Directory Server Multiple Domains LDAP-UX Client Services supports dynamic groups with the following limitations on ADS multiple domains: • • For dynamic groups configured in the local domain (i.e. the domain whose profile is /etc/opt/ldapux/ldapux_profile.ldif), LDAP-UX will return dynamic members for getgrnam()/getgrgid()/getgrent(), and return dynamic groups that a user belongs to. For dynamic groups configured in remote domains (i.e.
7 Administering LDAP-UX Client Services This chapter describes administrative procedures that will be used to keep clients operating efficiently and when expanding the computing environment.
lpsched commands to add, modify, and remove printers accordingly for the local system. By default, the LDAP printer configurator is enabled. By default, ldapclientd starts at system boot time. The client daemon can be launched manually or controlled while it is running by executing the ldapclientd command. For detailed information on the available parameters and syntax for the ldapclientd command, see the “ ldapcliend.conf Configuration File" section for details.
/opt/ldapux/bin/ldapclientd <-f| -k| -L| -h| -r> Command Options Refer to the ldapclientdman page(s) for option information. Diagnostics By default, errors are logged into syslog if the system log is enabled in the LDAP-UX client startup configuration file /etc/opt/ldapux/ldapux_client.conf. Errors occurring before ldapclientd forks into a daemon process leave an error message directly on the screen. The following diagnostic messages may be issued: Message: Already running.
... Where: comment section ldapclientd ignores any line beginning with a # delimiter. Each section is configured by setting=value information underneath. The section name must be enclosed by brackets ([ ]) as delimiters. Valid section names are: • StartOnBoot • general • passwd • group • netgroup1 • uiddn • domain_pwd • domain_grp • automount1 setting value This will be different for each section. Depending on the setting, this can be yes, no, or number.
update_ldapux_conf_time=<10-2147483647> This determines how often, in seconds, ldapclientd re-reads the /etc/opt/ldapux/ldapux_client.conf client configuration file to download new domain profiles. The default value is 600 (10 minutes). cache_size=<102400-1073741823> The maximum number of bytes that should be cached by ldapclientd for all services except dynamic_group. This value is the maximum, upper limit, of memory that can be used by ldapclientd to cache all services except dynamic_group.
The time, in seconds, before a cache entry expires from the negative cache. If dynamic_group caching is enabled, this value must be less than negcache_ttl of [dynamic_group]. The default value is 240 (4 minutes). [dynamic_group] This section describes the settings for the Dynamic Group cache. This cache manages dynamic group information including name, group ID and membership information. This cache is maintained in a independent memory space not shared with the cache for other maps.
ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. Typically, once added into a directory, the user's DN rarely changes. The default value is 86400 (24 hours). negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 86400 (24 hours).
poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. The default value is 1800 (30 minutes). negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 1800 (30 minutes). [automountMap] Cache settings for the automount map cache. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled.
Example Configuration File The following is a sample ldapclientd.conf configuration file. #!/sbin/sh # @(#) $Revision: 1.1 $ # ldap client daemon configuration.
# LDAP-UX does not support netgroup with Windows 2000 Active # Directory Server. # [netgroup] enable=yes [uiddn] enable=yes [domain_pwd] enable=yes [domain_grp] enable =yes [automount] enable =yes [automountMap] enable=yes Integrating with Trusted Mode This section describes features and limitations, PAM configuration changes and configuration parameter for integrating LDAP-UX with Trusted Mode. Overview Starting with LDAP-UX Client Services B.03.30, the product supports coexistence with Trusted Mode.
• • • • Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not synchronized across hosts running in the Trusted Mode. When an LDAP-based account name is changed, a new audit ID is generated on each host that the account is newly used on. The initial_ts_auditing flag defined in the /etc/opt/ldapux/ldapux_client.conf file will be reset to the default value. When an account is deleted from LDAP, the audit information for that account is not removed from the local system.
• • • recommended to run the authck -d command when you configure LDAP-UX with Trusted Mode. You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based accounts. The LDAP repository and /etc/passwd repository must not contain accounts with the same login name or account number. Except for the audit flag, you cannot modify other Trusted Mode properties/policies for LDAP-based accounts.
How SASL GSSAPI Works Figure 7-1 SASL GSSAPI Environment KDC Server AS 1 2 TGS 3 4 5 LDAP-UX Client Services 6 Windows 2000/ 2003 Active Direcotory The following describes how LDAP-UX binds a client using SASL GSSAPI to the LDAP directory server shown in Figure 4-1: 1. The LDAP-UX Client Service sends the principal name and password to the Authentication Server (AS). 2.
$ klist -k Keytab name: FILE:/etc/krb5.keytab Principal -------------------------------------------1 ldapux/hpntc10.cup.hp.com@HP.COM 1 host/hpntc10.cup.hp.com@HP.COM Configuing a Principal as The Proxy User The following describes three different ways to configure a principal as the proxy user: • Configure a user principal: Use ldap_proxy_config -i or "-d and -c" to enter a Kerbers user principal and its credential (i.e. password).
default keytab file configured in /etc/krb5.conf, then the keytab file /etc/krb5.keytab will be used, For each service principal, it must have a service key known by every domain controler, which also acts as a KDC. Use the ktpass tool to create the keytab file and set up an identity mapping the host account. The following is an example showing you how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm cup.hp.com: C:> ktpass -princ host/myhost@CUP.HP.
PAM_AUTHZ Login Authorization The Pluggable Authentication Module (PAM) is an industry standard authentication framework that is supplied as an integrated part of the HP-UX system. PAM gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The PAM framework also allows new authentication service modules to be plugged in and made available without modifying the PAM enabled applications.
Figure 7-2 PAM_AUTHZ Environment 1 policy configuration file pam enabled application 2 5 7 3 pam_authz ldap-ux client daemon ldapclientd 4 6 authentication modules, for example: pam_kerberos pam_ldap /etc/group LDAP directory server /etc/netgroup The following describes the policy validation processed by PAM_AUTHZ for the user login authorization shown in figure 7–2: PAM_AUTHZ Environment 1.
PAM_AUTHZ Supports Security Policy Enforcement PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP directory server. This feature works with SSH (Secure Shell), r-commands with rhost enabled where authentication is not performed via PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.
Policy File The system administrator can define a local access policy and store all defined access rules in the policy file, /etc/opt/ldapux/pam_authz.policy. The PAM_AUTHZ service module uses this local policy file to process the access rules and to control the login authorization. LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/pam_authz.policy.template. This sample file shows you how to configure the policy file to work with PAM_AUTHZ.
Policy Validator PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the access rules defined in pam_authz.policy. It validates and determines the user's login authorization based on the user's login name and the information it retrieves from various name services. The result is then returned to the PAM framework. PAM_AUTHZ processes access rules in the order they are defined in the pam_authz.policy.
Constructing an Access Rule in pam_authz.policy In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule consists of three fields as follows: ::
Table 7-1 Field Syntax in an Access Rule (continued)
Rules that have one of these specified as the field are defining a static list access rule. For this rule, the
Static List Access Rule When the value in the field is one of unix_user, unix_group, netgroup, ldap_group, the rule is evaluated using a list of predefined values in the
or groupOfUniqueNamesobjectclass. A list of ldap_group names is specified in the
Dynamic Variable Access Rule PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic variable is defined in
and the value is 1.2.3.200. If Mary attempts to log in to the host with the IP address, 1.2.3.200, then the access rule is evaluated to be true and this user is granted login access.
Security Policy Enforcement with Secure Shell (SSH) or r-commands PAM_AUTHZ has a limited ability to perform account and password security policy enforcement without requiring LDAP-based authentication.
function_name This field defines the function name in the specified that PAM_AUTHZ uses to evaluate certain security policy settings with the login user. The following describes the valid entries for this field: • • check_rhds_policy: If this option is specified, PAM_AUTHZ evaluates all the necessary account and password policies settings, stored in the Netscape/Red Hat Directory Server, for the login user.
Evaluating the Windows Active Directory Server Security Policy The following is an example of the access rule in /etc/opt/ldapux/pam_authz.policy file: status:ads:check_ads_policy If the above access rule is specified in the pam_authz.policy file, the check_ads_policy routine in the libpolicy_ads library is loaded and executed.
Directory Server Security Policies Global Security Attributes In the Windows 2003 Active Directory Server, there are a number of attributes about the security policies. In order to support account and password security policy enforcement, PAM_AUTHZ is enhanced to support the global administrative security attributes listed in table 7–2. They are used to define the policy rules and are all defined under dc=world,dc=hp,dc=com. Only authorized users can access them.
Adding Additional Domain Controllers Your Active Directory contains configuration profiles downloaded by each client system and name service data accessed by each client system. As your environment grows, you may need to add additional domain controllers to your environment. Follow these steps: 1. 2. 3. Use the dcpromo.exe tool to install and configure a new Active Directory domain controller.
5. 6. 7. 8. 9. ADSI Edit appears in the Add/Remove Snap-In dialog box. Click OK. In the Microsoft Management Console, click ADSI Edit and select Connect to... from the Action menu. In the Connection dialog box, check Naming Context, and select Domain NC from the drop-down list at the right. Then click OK.. Domain NC appears on the right pane. Double-click it to expand the list. To change group attributes: a. Click the container of the group for which you want to set POSIX attributes. b.
3. 4. Run /opt/ldapux/config/ldap_proxy_config -p to display the proxy user you just configured and confirm that it is correct. Run /opt/ldapux/config/ldap_proxy_config -vto verify the proxy user is working. Example For example, the following command configures the local client to use a proxy user DN of CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com with a password of abcd1234: cd /opt/ldapux/config .
Changing Which Profile a Client is Using Each client uses the profile specified in its startup file /etc/opt/ldapux/ldapux_client.conf. To make a client use a different profile in the directory, edit this file and change the DN specified in the PROFILE_ENTRY_DN line. Then download the profile as described in “Downloading the Profile Periodically” (page 55). Creating an /etc/krb5.
It may be possible to rewrite these applications so that an LDAP search request is used instead of a call to getpwent or getgrent. Search Limits The default configuration for Active Directory sets the search size limit to 1,000 entries and the search time limit to two minutes.
ldapclientd Caching Caching LDAP data locally allows for much greater response time for name service operations. Caching means that data that has been recently retrieved from the directory server will be retrieved from a local store, instead of the directory server. Caching greatly reduces both directory server load and network usage. For example, when a user logs into the system, the OS typically needs to enquire about his/her account several times in the login process.
ldapclientd Persistent Connections Since the HP-UX can generate many requests to an LDAP server, the overhead of establishing a single connection for every request can create excessive network traffic and slow response time for name service requests. Depending on network latency, the connection establishment and tear-down can cause relatively severe delays for client response. However, a persistent connection to the directory server will eliminate this delay.
TIP: Enable LDAP logging only long enough to collect the data you need because logging can significantly reduce performance and generate large log files. You may want to move the existing log file and start with an empty file: mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.save Restart the syslogdaemon with the following command: (Refer to syslogd(1M)or details.) kill -HUP 'cat /var/run/syslog.pid'.
User Cannot Log on to Client System If a user cannot log in to a client system, perform the following checks. • Use a command like pwget(1) with -n, or nsquery(1)2 to verify that NSS is working: pwget -n username nsquery passwd username If the output shows LDAP is not being searched, check /etc/nsswitch.conf to make sure LDAP is specified. If username is not found, make sure that user is in the directory and, if using a proxy user, make sure the proxy user is properly configured.
./ldapsearch -h sys001.hp.
8 Modifying User Information This chapter describes the following tasks users need to perform: • “Changing Passwords” (page 133) • “Changing Personal Information” (page 133) Changing Passwords Users can change their password with the passwd(1) command. Depending on how PAM is configured and depending on where the user's information is located (in the directory or in /etc/passwd), users may be prompted for their password twice as PAM searches in the configured locations for the user's information.
9 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. This chapter contains the following sections: • • “Overview” (page 135). “The Mozilla LDAP C SDK File Components” (page 135) briefly describes many of files that comprise the LDAP C SDK. Overview The LDAP-UX Client Services provides the Mozilla LDAP C SDK 5.17.1 support.
Table 9-1 Mozilla LDAP C SDK File Components on the PA machine (continued) Files Description /usr/include/* Include files from LDAP C SDK /opt/ldapux/contrib/bin/certutil Unsupported command tool that creates and modifies the certificate database files, cert8.db and key3.db. /opt/ldapux/contrib/ldapsdk/examples Unsupported Netscape LDAP C SDK examples. /opt/ldapux/contrib/ldapsdk/source.tar.gz Mozilla LDAP C SDK source (for license compliance).
Table 9-2 Mozilla LDAP C SDK File Components on the IA machine Files Description /usr/lib/hpux32/libldap.so (32-bit ) /usr/lib/hpux64/libldap.so (64-bit ) Main LDAP C SDK API libraries that link to the /opt/ldapux/lib libraries. /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) LDAP C SDK dependency libraries. /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.
Table 9-3 Mozilla LDAP C SDK API Header Files Header Files Description /usr/include/ldap.h Main LDAP functions, structures and defines. /usr/include/ldap-extention.h Support for LDAP v3 extended operations, controls and other server specific features. This file must be included in source code that uses LDAP v3 extended operations or controls. /usr/include/ldap_ssl.h Support for creation of SSL connections. This file must be included in source code that requires SSL connections.
A Configuration Worksheet Use this worksheet to plan your LDAP-UX Client Services configuration. For installation and configuration details, refer to “Installing LDAP-UX Client Services” (page 23) for details. Each of the following should be configured once for each domain, except "Proxy user DN," which only needs to be configured once regardless of the number of domains in the system.
B LDAP-UX Client Services Object Classes This appendix describes the object classes used by LDAP-UX Client Services for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: • PosixDUAProfile • PosixNamingProfile With release B.03.00, the PosixDUAProfile and PosixNamingProfile object classes have been replaced by a single STRUCTURAL object class DUAConfigProfile. In addition, four new attributes are added.
NOTE: The userPassword attribute is mapped to *NULL* to prevent passwords from being returned for increased security and to prevent PAM_UNIX from authenticating users in the LDAP directory. Mapping to *NULL* or any other nonexistent attribute means do not return anything.
typically the object class. Each service can have up to three custom search descriptors. For example, the following defines a search descriptor for the passwdservice specifying a baseDN of CN=Users,DC=cup,DC=hp,DC=com, a search scope of sub, and a search filter of the PosixAccount object class.
C Command, Tool, Schema Extension Utility, and Migration Script Reference This appendix describes the commands and tools associated with the LDAP-UX Client Services: • The “LDAP-UX Client Services Components” (page 145) section describes many of the files that comprise this product. • The “Client Management Tools” (page 149) section describes commands to manage your client systems.
Table C-1 LDAP-UX Client Services Components (continued) Component Description /opt/ldapux/config/create_profile_schema /opt/ldapux/config/create_profile_cache Programs called by the setup program. /opt/ldapux/config/ldap_proxy_config Program to configure and verify the proxy user. /opt/ldapux/bin/ldapdelete Tools to delete, modify, and search for entries in a directory.
Table C-2 LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i v1 machine Component Description /usr/lib/libldap_send.1 (32-bit) LDAP-UX Client Services libraries. /usr/lib/libldap_util.1 (32-bit) /usr/lib/libldapci.1 (32-bit) /usr/lib/libnss_ldap.1 (32-bit) /usr/lib/libldap.1 (32-bib) /usr/lib/security/libpam_ldap.1(32-bit) /usr/lib/security/libpam_authz.1(32-bit) /usr/lib/pa20_64/libldap.1(64-bit) /usr/lib/pa20_64/libldap_send.1(64-bit) /usr/lib/pa20_64/libnss_ldap.
Table C-4 LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA machine Files Description /usr/lib/hpux32/libldap_send.so.1 (32-bit ) LDAP -UX Client Services libraries. /usr/lib/hpux32/libldap_util.so.1 (32-bit ) /usr/lib/hpux32/libnss_ldap.so.1 (32-bit) /usr/lib/hpux32/libldapci.so.1 (32-bit ) /usr/lib/hpux32/libldap.so.1 (32-bit ) /usr/lib/security/hpux32/libpam_ldap.so.1 (32-bit ) /usr/lib/security/hpux32/libpam_authz.so.1 (32-bit ) /usr/lib/hpux64/libldap.so.
Client Management Tools This section describes the following programs for managing client systems. Most of these programs are called by the setup program during system configuration. • create_profile_entry—creates a new profile in the directory. • create_profile_cache—creates a new active profile from an LDIF profile. This is also called by the get_profile_entry tool. • create_profile_schema—extends the schema in the directory for profiles. • display_profile_cache—displays the currently active profile.
NOTE: You must copy the file my_profile.bin to/etc/opt/ldapux/ldapux_profile.bin to activate the profile. create_profile_schema This tool, found in /opt/ldapux/config, extends the Active Directory schema with the DUAConfigProfile object class using the information you provide interactively. Typically you run the setup program instead of running this program directly.
Examples • The following command downloads the profile for the NSS specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file /etc/opt/ldapux/ldapux_profile.ldif. bindDN and password need to be provided if no valid proxy user is configured: get_profile_entry -s NSS -D bindDN -w passwd • The following command downloads the profile for the NSS specified in the client configuration file /etc/opt/ldapux/ldapux_client.
With no options, ldap_proxy_config configures the proxy user as specified in the file /etc/opt/ldapux/pcred.
LDAP Directory Tools This section briefly describes the ldappasswd, ldapsearch, ldapmodify and ldapdelete. For detailed information about ldapsearch, ldapmodify, and ldapdelete, refer to the Microsoft Windows Active Directory Server Administrator's Guide available at http://docs.hp.com/ en/internet.html ldappasswd This section describes the ldappasswd command and its parameters.
ldapsearch You use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. For detailed information, refer to the Microsoft Windows Active Directory Server Administrator' s Guide available at the following web site: http://docs.hp.com/en/internet.
contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do. For detailed information, refer to the Red HatDirectory Server for HP-UX Administrator's Guide available at the following web site: http://docs.hp.com/en/internet.html Syntax ldapmodify [optional_options] where optional_options Specifies a series of command-line options. ldapmodify Options The section lists the most commonly used.ldapmodify options.
-P -dn -w 156 Specifies the TCP port number that the Directory Server uses. The default is 389. Specifies the DN of the entry to be deleted. Specifies the password associated with the distinguished name that is specified in the -D option.
Schema Extension Utility Overview A directory schema is a collection of attribute type definitions, object class definitions and other information supported by a directory server. Schema controls the type of data that can be stored in a directory server. Although there are some recommended schemas that came originally from the X.500 standards, mostly for representing individuals and organizations, there is no universal schema standard in place for every possible application.
Operations Performed by the Schema Extension Utility The schema extension utility, ldapschema, supports the following two modes of operation: 1. Query Schema Status Based on the set of attribute types and object classes defined in the input schema definition file, this tool queries their status on the directory server schema without applying any changes to the LDAP directory server.
on how to create an XML file containing supported matching rules and syntaxes for your directory server. • Mapping Rules For Unsupported Matching Rules and Syntaxes File If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them using alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ldapux/schema/map-rules.
ldapschema — The Schema Extension Tool The ldapschema utility allows schema developers to define LDAP schemas using a universal XML syntax, greatly simplifying the ability to support different directory server variations. It can be used to query the current status of the LDAP schema on the LDAP directory server, as well as extend the LDAP directory server schema with new attribute types and object classes.
Table C-6 Reserved LDAPv3 Directory Servers (continued) -V ds_version MAC OS X Directory Server mac Sun One Directory Server sun Computer Associates Directory Server ca iPlanet Directory Server iPlanet The version of the LDAP directory server. The strcasecmp() function compares the version specified by this –V option and the version defined in the XML files the ldapschema utility processes. The version specified by the –V option and the version defined in the XML files must be consistent.
-j -w-Z -ZZ -ZZZ -P path -3 -s- -m- -f -F -v 162 Specifies an administrator’s password in the file (for simple authentication). Inputs an administrator’s password from the prompt (for simple authentication). Establishes an SSL-encrypted connection. Specifies TLS request. Enforces TLS request (requires successful server response). Specifies path to SSL certificate database. (Default: /etc/opt/ldapux) Verifies the host name in SSL certificates.
Environment Variables The ldapschema utility supports the following environment variables: The Distinguished Name (DN) of an administrator who has permissions to LDAP_BINDDN read and modify LDAP directory server schema. The password for the privileged LDAP directory user. LDAP_BINCRED LDAP_HOST The host name of the LDAP directory server. The LDAP_HOST variable uses the “hostname:port” format. If the port is not specified, default port number is 389 for regular connections, or 636 for SSL connections.
Schema Definition File The ldapschema utility queries and extends LDAP directory server based on the XML schema definition file. When using the ldapschema tool, the schema argument used with the -q or -e option must correspond to the XML file containing the appropriate schema definition. Several predefined files (such as rfc3712.xml, rfc2256.xml, etc...) are stored in the /etc/opt/ldapux/schema directory. But the schema definition file can be stored in any directory with any file name.
A Sample RFC3712.xml File A sample rfc3712.xml file below defines two attribute types, printer-name and printer-aliases, followed by one object class, printerLPR, as specified in RFC3712: Line Line Line LINE Line Line Line Line Line Line LINe Line Line Line Line Line Line LIne Line Line Line LINe Line Line Line Line Line Line Line Line inee LINe Line Line Line Line Line Line Line Line 1: 2:
Defining Attribute Types Each attribute type definition, enclosed by tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one attribute type name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
Optional, use to specify any directory-specific information about the attribute type. See “Defining Directory Specific Information” (page 170) section for details. Attribute Type Definition Requirements To add the new schema to the LDAP directory server, each attribute type definition must meet the following requirements: • The attribute type has a tag with one numeric id value which adheres to RFC 2252 format specification.
Defining Object Classes Each object class definition, enclosed by the tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one object class name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
Object Class Definition Requirements To add the new schema to the LDAP directory server, each object class definition must meet the following requirements: • The object class definition contains a tag with one numeric id value which adheres to RFC 2252 format specification. • The object class definition has at least one tag with the object class name. Each name must adhere to RFC 2252 format specification.
Defining Directory Specific Information Attribute type and object class definitions can be extended with directory-specific information using the tag. This is useful to maintain a single schema definition file for different types and versions of LDAP directory servers.
An Example of Defining Directory Specific Information in the Object Class Definition Directory specific information can be specified in the object class definitions as well as in optional and mandatory attributes. The following is an example of the object class definition with directory specific information using the tag and XML attributes, not and only: Line Line Line Line Line Line Line Line Line Line 1: 2: 1.23.456.7.89101112.1.314.1.51.
LDAP Directory Server Definition File In order to properly install new attribute types in an LDAP directory server schema, the ldapschema utility needs to determine whether the LDAP server supports the matching rules and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs an LDAP search for supported matching rules and syntaxes on the LDAP server. However, some types of directory servers do not provide this information as part of the search.
Lines 1-2 are required in every LDAP directory server definition file. LDAP syntax and matching rule definitions closely follow the format specified in RFC 2252. Values specified for all XML tags must not be quoted. Only the description field (enclosed by ... tages) can contain spaces. NOTE: Only LDAP syntaxes and matching rules fully supported by the LDAP directory server can be specified in this file.
Mapping Unsupported Matching Rules and LDAP Syntaxes If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them to alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ldapux/schema/map-rules.xml file which defines a list of default substitution matching rules and syntaxes, and alternate matching rules and syntaxes.
22 1.3.6.1.4.1.1466.115.121.1.15 Directory String syntax. How Does ldapschema Map Unsupported Matching Rules and LDAP Syntaxes If any mapping rules or the syntax used by an attribute type are not supported on the LDAP server, the ldapschema utility checks if the appropriate substitution rule is specified in the /etc/opt/ldapux/map-rules.xml file.
Return Values From ldapschema The ldapschema tool returns the following values: The operation is successful. 0 –1 The operation fails. In addition, ldapschema prints to STDOUT the overall status of the schema being queried or extended. Based on the schema status, any combination of the following messages is displayed. Detailed explanations of each message are specified in the square brackets following the message body text.
SCHEMA_EXISTS No changes to the LDAP server schema are needed. All attribute types and object classes defined in the file are already part of the LDAP directory server schema. [The SCHEMA_EXISTS message indicates the schema specified in the file is already installed on the LDAP directory server. All attribute types and object classes defined in the file are already part of the schema on the LDAP directory server.
Check the messages containing ATTRIB_MISMATCH and OBJECT_MISMATCH described below for the exact instances of attribute types and object classes, respectively, causing the schema mismatch. The mismatch is caused by any differences in element definitions, such as equality matching rule, single-valued setting, attribute syntax, object class type, attribute types an object class includes, etc.
file. The value must be compliant with RFC 2252. See RFC 2252 for details. ATTRIB_INVALID Attribute type “” has an invalid name. Edit the schema definition file to specify an RFC 2252 compliant value for this attribute type. Valid name characters include letters (A-z), digits (0-9), semicolons (;) and dashes (-). Valid name must begin with an alphabet letter (A-z). See RFC 2252 for details.
- disables matching rule substitution in attribute types. Edit the file to specify an alternate matching rule supported on the LDAP server, or execute the ldapschema utility without the -m option to substitute this matching rule with an alternative matching rule supported on the LDAP server.] ATTRIB_UNRESOLVED ATTRIB_UNRESOLVED ATTRIB_UNRESOLVED LDAP syntax "” used in “” attribute type definition cannot be mapped. This LDAP syntax is not supported on the LDAP server.
Object Class Status Messages OBJECT_INVALID Object class definition is missing a numeric oid. Edit the schema definition file to specify one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the file.] OBJECT_INVALID Object Class definition is missing a name.
OBJECT_FOUND Object class “
successfully mapped with a higher level (less specific) matching rule supported by that server, , as specified in the /etc/opt/ldapux/schema/map-rules.xml file. The attribute types which uses this matching rule with the , , tags will use be queried or extended on the LDAP directory server using ]. LDAP Syntax Status Messages SYNTAX_INVALID LDAP syntax is missing a numeric oid.
Name Service Migration Scripts This section describes the shell and Perl scripts that can migrate your name service data either from source files or NIS maps to your Active Directory. These scripts are found in /opt/ldapux/migrate/ads. The two shell scripts migrate_all_online.ads.sh and migrate_all_nis_online.ads.sh migrate all your source files or NIS maps, while the Perl scripts migrate_passwd_ads.pl, migrate_hosts_ads.pl, migrate_networks_ads.pl, migrate_protocols_ads.pl, migrate_rpc_ads.
Directory for Kerberos authentication. Therefore, to allow users to log on to a UNIX system, the Active Directory administrator needs to enable the user account first and set the initial password. CAUTION: The password migration tool migrates all user accounts from the specified source files or NIS server. For security reasons, the root user and any objects with uid=0 should either be removed from the resulting LDIF file before migrating to Active Directory, or be removed from the Active Directory.
1 Systems have been configured with the same hostname, then the migration script migrate_host.pl, will create multiple entries in its resulting LDIF file with the same DN for the hostname for each of the IP addresses. Since DNs need to be unique in an LDAP directory, users should first manually merge the IP addresses with one designated host record and delete the duplicated records in their LDIF file. A resulting merge might look as follows: . . . .
uidNumber: 101 gidNumber: 20 msSFUHomeDirectory: /home/jbloggs gecos: Joe Bloggs,Cupertino,888-9999, sAMAccountName: jbloggs The following commands convert /etc/group into LDIF and place the result in /tmp/group.ldif: $ export LDAP_BASEDN="DC=example,DC=hp,DC=com" $ migrate_group.pl /etc/group /tmp/group.ldif $ cat /tmp/group.
Unsupported Contributed Tools and Scripts This section describes contributed tools and scripts which are not officially supported by HP at the present time. beq Search Tool The new beq tool expands the search capability beyond that currently offered by nsquery, which is limited to hosts, passwd, and group. This search utility bypasses the name service switch and queries the backend directly based on the specified library.
pw_uid............(101) pw_gid............(21) pw_age............() pw_comment........() pw_gecos..........(gecos data in files) pw_dir............(/home/iuser1) pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) • An example beq command using user name adm as the search key, pwd (password) as the service, and files as the library is shown below: ./beq -k n -s pwd -l /usr/lib/libnss_files.1 adm nss_status....... NSS_SUCCESS pw_name...........(adm) pw_passwd.........(*) pw_uid......
gr_name...........(igrp2) gr_passwd.........(*) gr_gid............(22) pw_age............() gr_mem (iuser1) Certutil — Certificate Database Tool You can use the certutil command-line utility to create and modify the Netscape Communicator cert8.db and key3.db database files. This tool can also list, generate, modify, or delete certificates within the cert7.db file.
NOTE: HP does not support the get_ads_dom, uid2dn and get_attr_map tools at the present time. The get_ads_domTool — Get the Fully Qualified Domain Name Tool This tool, found in /opt/ldapux/contrib/bin, provides the fully qualified domain name for a given user. Syntax get_ads_dom [username] where username is a user name. Examples The following command displays the fully qualified domain name information for a given user john: .
D Sample PAM Configuration File This appendix provides a sample PAM configuration file. This pam.conf file is intended as an example only. Refer to pam.conf(4) for more details. The following is a sample PAM configuration file used on the HP-UX 11.0 or 11i v1 system: ## PAM configuration # # This pam.conf file is intended as an example only. # see pam.
login login dtlogin dtlogin dtaction dtaction OTHER # # Password # login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER session session session session session session session sufficient required sufficient required sufficient required required /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.
dtaction auth required libpam_hpsec.so.1 dtaction auth sufficient libpam_krb5.so.1 dtaction auth required libpam_unix.so.1 try_first_pass ftp auth required libpam_hpsec.so.1 ftp auth sufficient libpam_krb5.so.1 ftp auth required libpam_unix.so.1 try_first_pass OTHER auth required libpam_unix.so.1 # # Account management # login account required libpam_hpsec.so.1 login account sufficient libpam_krb5.so.1 login account required libpam_unix.so.1 su account required libpam_hpsec.so.
E Sample /etc/krb5.conf File This appendix provides a sample krkb5.conf file, which supports two domains. [libdefaults] default_realm = CA.HP.COM default_tgs_enctypes = DES-CBC-CRC default_tkt_enctypes = DES-CBC-CRC ldapux_multidomain = 1 ccache_type = 2[realms] CA.HP.COM = { kdc = HPSVRC.CA.HP.COM:88 kpasswd_server = HPSVRC.CA.HP.COM:464 } NY.HP.COM = { kdc = HPSVRD.NY.HP.COM:88 kpasswd_server = HPSVRD.NY.HP.COM:464 } [domain_realm] .ca.hp.com = CA.HP.COM .ny.hp.com = NY.HP.
F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode This Appendix provides a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v1 system to support the coexistence of LDAP-UX and Trusted Mode. If your directory server is the Microsoft Windows 2000 Active Directory Server and your LDAP client is in the Trusted Mode, the /etc/pam.conf file must be configured as shown in the following example file. Use the following steps to create the /etc/pam.
dtlogin account required dtaction account sufficient dtaction account required ftp account sufficient ftp account required OTHER account required # # Session management # login session required login session required dtlogin session required dtlogin session required dtaction session required dtaction session required OTHER session required # # Password management # login password sufficient login password required passwd password sufficient passwd password required dtlogin password sufficient dtlogin passwo
G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode This Appendix provides a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v2 system to support the coexistence of LDAP-UX and Trusted Mode. If your directory server is the Microsoft Windows 2000 or 2003 Active Directory Server and your LDAP client is in the Trusted Mode, the /etc/pam.conf file must be configured as shown in the following example file. Use the following steps to create the /etc/pam.
dtaction auth required ftp auth required ftp auth sufficient ftp auth required OTHER auth required # # Account management # login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account sufficient ftp account required OTHER account required # # Sessio
H Sample PAM Configuration File for Security Policy Enforcement This Appendix provides the sample PAM configuration file, /etc/pam.conf file to support account and password policy enforcement for Secure Shell (SSH) key-pair and r-commands. In the /etc/pam.conf file, the pam_authz library must be configured for the sshd and rcomds services under account management role. The following is a sample PAM configuration file used on the HP-UX 11i v1 system: ## PAM configuration # # This pam.
rcomds account required rcomds account sufficient rcomds account required sshd account required sshd account sufficient sshd account required OTHER account required # # Session management # login session sufficient login session required dtlogin session sufficient dtlogin session required dtaction session sufficient dtaction session required OTHER session required # # Password management # login password sufficient login password required passwd password sufficient passwd password required dtlogin password
# login auth required login auth sufficient login auth required su auth required su auth sufficient su auth required dtlogin auth required dtlogin auth sufficient dtlogin auth required dtaction auth required dtaction auth sufficient dtaction auth required rcomds auth required rcomds auth sufficient rcomds auth required sshd auth required sshd auth sufficient sshd auth required ftp auth required ftp auth sufficient ftp auth required OTHER auth required # # Account management # login account required login ac
# Password # login login login passwd passwd passwd dtlogin dtlogin dtlogin dtaction dtaction dtaction OTHER 206 management password password password password password password password password password password password password password required sufficient required required sufficient required required sufficient required required sufficient required required libpam_hpsec.so.1 libpam_krb5.so.1 libpam_unix.so.1 libpam_hpsec.so.1 libpam_krb5.so.1 libpam_unix.so.1 libpam_hpsec.so.1 libpam_krb5.so.
Glossary Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction. ACL See See Access Control List.. Configuration profile An entry in an LDAP directory containing information common to many clients, that allows clients to access user, group and other information in the directory. Clients download the profile from the directory. See also See also Client Configuration File..
Remote Domains All domains in the forest, other than the local domain, are referred to as remote domains. When you choose multiple domain support during setup, you will be guided to configure profiles for remote domains. When LDAP-UX cannot find data from the local domain, remote domains will be searched. RFC Request for Comments; a document and process of standardization from the IETF. RFC 2307 The IETF specification for using LDAP as a Network Information Service. See http://www.ietf.org/rfc/rfc2307.
Index Symbols /etc/group, 25 /etc/krb5.conf, 197 /etc/krb5.keytab, 125 /etc/nsswitch.conf, 24, 28, 48 /etc/nsswitch.ldap, 28, 145 /etc/pam.
get_profile_entry tool, 150 Global Catalog Server.
planning your environment, 24 port directory, 38 POSIX adding attributes, 62 posix schema RFC 2307, 208 posixDUAProfile object class, 141, 199, 201 posixNamingProfile object class, 141, 199, 201 preferredServerList, 142 product components, 135, 136, 137, 147 profile, 26 changing, 125 configuration, 37, 207 creating, 124 displaying, 124 download, 55 downloading, 58 modifying, 124 profile configuration, 22, 26, 37, 130 attributes, 141 changing a client's, 125 creating, 124 displaying, 124 location, 145 modify
