LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

121

122

123

124

125

126

127

128

129

130

Changing Which Profile a Client is Using

Each client uses the profile specified in its startup file

/etc/opt/ldapux/ldapux_client.conf. To make a client use a different profile in the

directory, edit this file and change the DN specified in the PROFILE_ENTRY_DN line. Then

download the profile as described in “Downloading the Profile Periodically” (page 55).

Creating an /etc/krb5.keytab File

In the ADS multiple domain environment, your HP-UX client machine will communicate with

multiple Windows 2000 or 2003 domain controllers. To set up Kerberos authentication, your

HP-UX host needs to have a service key known by every domain controller, which also acts as

KDC. The service key is created on Windows 2000 or 2003 Server using ktpass (described in

step 5 of "“Configuring Active Directory for HP-UX Integration” (page 30)"). After you create

the service key file on each domain controller, you need to securely transfer it to your HP-UX

machine. All service key files must be merged and stored in /etc/krb5.keytab.

For example, if you integrate LDAP-UX with ADS multiple domains so that users from DomainA,

DomainB, and DomainC can log into your HP-UX client machine, you will need to create the

service key on each domain controller (say domainA.keytab on DomainA, domainB.keytab

on DomainB and domainC.keytab on DomainC), then transfer those files into your HP-UX

machine. Finally, merge all three service key files to create /etc/krb5.keytab. Use ktutil

to merge service key files on your HP-UX machine:

# /usr/sbin/ktutil

ktutil: rkt domainA.keytab

ktutil: rkt domainB.keytab

ktutil: rkt domainC.keytab

ktutil: wkt krb5.keytab

ktutil: quit

Use klist -k to show the different entries in the keytab file /etc/krb5.keytab should be

readable only by the supervisor.

Considering Performance Impacts

The advantage of an LDAP directory over flat files for naming and authentication services is its

design for quick access to information in large databases. Still, with very large databases,

administrators, and users should be aware of the following performance impacts:

Enumeration Requests

Enumeration requests are directory queries that request all of a database, for example all users

or all groups. Enumeration requests of large databases can reduce network and server

performance. For this reason, you may want to restrict the use of the following commands that

generate enumeration requests:

• finger(1)

• grget(1) with no options

• pwget(1) with no options

• groups(1)

• listusers(1)

• logins(1M)

Also, applications written with the ggetpwent(3C) or getgrent(3C) family of routines can

enumerate a map, depending on how they are written.

Changing Which Profile a Client is Using 125