LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

$ klist -k

Keytab name: FILE:/etc/krb5.keytab

Principal

--------------------------------------------

1 ldapux/hpntc10.cup.hp.com@HP.COM

1 host/hpntc10.cup.hp.com@HP.COM

Configuing a Principal as The Proxy User

The following describes three different ways to configure a principal as the proxy user:

• Configure a user principal:

Use ldap_proxy_config -i or "-d and -c" to enter a Kerbers user principal and its credential

(i.e. password).

The following is an example to use ldap_proxy_config -i command with proxy user

without the realm information proxyusr and password proxywd:

cd /opt/ldapux/config

./ldap_proxy_config -i

proxyusr

proxywd

The following is an example to use ldap_proxy_config -d -c command to create a

proxy user with the realm information john@CUP.HP.COM and the proxy user credential

proxycrd:

cd /opt/ldapux/config

./ldap_proxy_config -d john@CUP.HP.COM -c proxycrd

• Configure a service or host principal:

Use ldap_proxy_config -i or -d to specify the service or host principal with or without

entering a password. If the password is provided, LDAP-UX will retrieve the password

information from /etc/opt/ldapux/pcred file. When no password is specified, LDAP-UX

Client Services assume the proxy user is a service or host principal and retrieve the credential

information from the keytab file.

The following is an example to use ldap_proxy_config -i command to create a host

principal hpntcA.cup.hp.com:

cd /opt/ldapux/cinfig

./ldap_proxy_config -i host/hpntcA.cup.hp.com@HP.COM

• Use only the keytab file without configuring proxy:

With this method, the old pcred file must be deleted if there is one. LDAP-UX Client Services

uses ldapux/<FQHN>@<REALM> as the default service principal. If it does not exist, the

host/<FQHN>@<REALM> in the keytable file is the principal to be used. FQHN stands for

Fully Qualified Host Name.

The principal defined in a keytab file can be shared among several services, such as Kerberized

Interface Service or LDAP-UX using the host principal for authentication. The LDAP-UX proxy

principal is used solely for LDAP-UX.

Keytab File

LDAP-UX allows you to specify the keytab file when you use the SASL GSSAPI authentication.

Run the setup program to specify the keytab file or use the kerberos_keytab_file option

in /etc/opt/ldapux/ldapux_client.confto specify the keytab file. If you do not specify

a keytab file, LDAP-UX will use the default file specified in /etc/krb5.conf. If there is no

104 Administering LDAP-UX Client Services