LDAP-UX Client Services B.04.10 with Microsoft Windows Active Directory Server Administrator's Guide
1. Use swinstall to install LDAP-UX Client Services on the client system. This requires
rebooting the client system.
2. Copy the following files from a configured client to the client being configured:
• /etc/opt/ldapux/ldapux_client.conf
• /etc/opt/ldapux/pcred only if you have configured a proxy user, not if you are
using only anonymous access
• /etc/pam.conf
• /etc/nsswitch.conf
• cert7.db or cert8.db and key3.db flles if SSL is enabled
3. Download the profile by running get_profile_entry as follows:
cd /opt/ldapux/config
./get_profile_entry -s nss -D bindDN -w password
If you are using multiple domains, download profiles for the GCS and each remote domain.
Refer to “Command, Tool, Schema Extension Utility, and Migration Script Reference”
(page 145), section titled "The get_profile_entry Tool" for information about downloading
these profiles.
Alternatively you could interactively run the setup program to download the profile from
the directory and respond No when prompted to select if you want to change the current
configuration:
cd /opt/ldapux/config
./setup
4. If you are using a proxy user, verify the proxy user by calling ldap_proxy_config as
follows:
cd /opt/ldapux/config
./ldap_proxy_config -v
5. Refer to "Verify the LDAP-UX Client Services for Single Domain" for more information to
verify the installation and configuration of your LDAP-UX Client Services.
Configuring the LDAP-UX Client Services with SSL or TLS Support
The LDAP-UX Client Services provides SSL (Socket Security Layer) support to secure
communication between LDAP clients and the Active Directory Servers. An encrypted connection
can be established on an encrypted port, 636. The LDAP-UX Client Services supports SSL with
password as the credential, using either simple bind or SASL GSSAPI authentication to ensure
confidentiality and data integrity between clients and servers.
The LDAP-UX Client Services supports Microsoft Windows 2000, 2003 or 2003 R2 Active Directory
Server (ADS), Netscape Directory Server (NDS) 6.x and Red Hat Directory Server 7.0/7.1 over
SSL. For detailed information on how to enable SSL communication over LDAP for your Windows
2000 Active Directory Server, refer to Microsoft Knowledge Base Article Q247078 at
http://support.microsoft.com/default.aspx?scid=kb;en-us;247078
TLS Support
Starting with LDAP-UX Client Services B.04.10, the product supports a new extension operation
of TLS (Transport Security Socket) protocol called startTLS to secure communication between
LDAP clients and the Windows Active Directory Server. An encrypted session can be established
on an un-encrypted port, 389. If an encrypted port is used, it will fail to establish the secure
connection. The TLS protocol provides administrators better flexibility for using TLS in their
environment by allowing the use of an un-encrypted LDAP port for communication between
the clients and the server. LDAP-UX supports TLS with password as the credential, using either
simple bind or SASL GSSAPI authentication to ensure confidentiality and data integrity between
clients and servers.
Configuring the LDAP-UX Client Services with SSL or TLS Support 49