LDAP-UX Client Services B.04.
© Copyright 2009 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................13 Intended Audience................................................................................................................................13 New and Changed Documentation in This Edition.............................................................................13 Document Organization...........................................................................
2.10.2.1.1 Schema...................................................................................................................53 2.10.2.1.2 An Example...........................................................................................................53 2.10.2.2 The nisObject Automount Schema................................................................................53 2.10.2.2.1 An Example.......................................................................................................
4.4.1 Examples.................................................................................................................................78 4.4.2 Group Attribute Mappings.....................................................................................................79 4.5 Number of Group Members Returned............................................................................................80 4.6 Number of Groups Returned for a Specific User....................................................
5.3.10.6 Directory Server Security Policies...............................................................................108 5.4 Adding One or More Users...........................................................................................................110 5.5 Adding a Directory Replica...........................................................................................................111 5.6 User and Group Management.............................................................................
6.2.3.1 Syntax............................................................................................................................141 6.2.4 The display_profile_cache Tool.............................................................................................141 6.2.4.1 Syntax............................................................................................................................141 6.2.4.2 Examples...............................................................................
6.3.6.8 Examples.......................................................................................................................183 6.3.7 The ldapugdel Tool................................................................................................................185 6.3.7.1 Removing Attributes Only............................................................................................185 6.3.7.2 Synopsis ........................................................................................
6.5.5.1 An Example of Defining Directory Specific Information in the Attribute Type Definition..................................................................................................................................215 6.5.5.2 An Example of Defining Directory Specific Information in the Object Class Definition..................................................................................................................................216 6.5.6 LDAP Directory Server Definition File...............
C Sample /etc/pam.ldap.trusted file..........................................................................247 D Sample /etc/pam.conf File for Security Policy Enforcement................................249 Glossary.........................................................................................................................251 Index...............................................................................................................................
List of Figures 1-1 1-2 1-3 1-4 2-1 3-1 5-1 7-1 7-2 7-3 A Simplified NIS Environment.....................................................................................................15 A Simplified LDAP-UX Client Services Environment..................................................................16 A Simplified LDAP-UX Client Services Environment..................................................................17 The Local Start-up File and the Configuration Profile....................................
List of Tables 1 1-1 2-1 2-2 2-3 2-4 2-5 4-1 5-1 5-2 5-3 5-4 6-1 6-2 6-3 6-4 6-5 6-6 6-7 6-8 6-9 6-10 6-11 6-12 6-13 6-14 6-15 8-1 8-2 8-3 A-1 A-2 12 Publishing History Details............................................................................................................14 Examples of Commands and Subsystems that use PAM and NSS...............................................16 Configuration Parameter Default Values...............................................................................
About This Document The latest version of this document can be found on line at: http://www.docs.hp.com This document describes how to install and configure the LDAP-UX Client Services product on HP-UX platforms. The document printing date and part number indicate the document's current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Book Title The title of a book. On the web and on the Instant Information CD, it may be a hot link to the book itself. Emphasis Text that is emphasized. Bold Text that is strongly emphasized. Bold The defined use of an important word or phrase. ComputerOut Text displayed by the computer. UserInput Commands and other text that you type. Command A command name or qualified command phrase.
1 Introduction LDAP-UX Client Services simplifies HP-UX system administration by consolidating account and configuration information into a central LDAP directory. This LDAP directory could reside on an HP-UX system such as Netscape Directory Server 6.x, Red Hat Directory Server 7.x or the account information could be integrated in Windows 2000/2003 Active Directory.
Figure 1-2 A Simplified LDAP-UX Client Services Environment LDAP-UX Client Services supports the following name service data: passwd, groups, hosts, rpc, services, networks, protocols, publickeys, automount, netgroup. See the LDAP-UX Integration B.04.10 Release Notes for any additional supported services. 1.1.
Table 1-1 Examples of Commands and Subsystems that use PAM and NSS (continued) Commands that use NSS Commands that use PAM and NSS groups2 remsh newgrp2 pwget2 grget2 listusers2 logins2 nslookup 1 2 nsquery(1) is a contributed tool included with the ONC/NFS product. These commands enumerate the entire passwd or group database, which may reduce network and directory server performance for large databases.
• • how clients should bind to the directory: anonymously or as a proxy user. Anonymous access is simplest. Configuring a proxy user adds some security, but at the same time it adds the overhead of managing the proxy user. other configuration parameters such as search time limits. Figure 1-4 The Local Start-up File and the Configuration Profile The following chapter describes in detail how to install, configure, and verify LDAP-UX Client Services.
2 Installing And Configuring LDAP-UX Client Services This chapter describes the decisions you need to make and the steps to install Netscape/Red Hat Directory Server and configure LDAP-UX Client Services. This chapter contains the following sections: • Before You Begin (page 19). • Summary of Installing and Configuring (page 20). • Plan Your Installation (page 21). • Install LDAP-UX Client Services on a Client (page 26). • Configure Your Directory (page 27).
2.2 Summary of Installing and Configuring The following summarizes the steps you take when installing and configuring an LDAP-UX Client Services environment. • • • • • • • See Plan Your Installation (page 21). Install LDAP-UX Client Services on each client system. See Install LDAP-UX Client Services on a Client (page 26). Install and configure an LDAP directory, if not already done. See Configure Your Directory (page 27).
2.3 Plan Your Installation Before beginning your installation, you should plan how you will set up and verify your LDAP directory and your LDAP-UX Client Services environment before putting them into production. Consider the following questions. Record your decisions and other information you'll need later in Configuration Worksheet (page 243). • How many LDAP directory servers and replicas will you need? Each client system binds to an LDAP directory server containing your user, group, and other data.
reduces LDAP-UX's response time to applications. In addition, the daemon re-uses connections for LDAP queries and maintains multiple connections to an LDAP server to improve performance. The migration scripts provided with LDAP-UX Client Services can build and populate a new directory subtree for your user and group data.
Figure 2-1 Example Directory Structure Write your configuration profile DN on the worksheet in Configuration Worksheet (page 243). • By what method will client systems bind to the directory? Clients can bind to the directory anonymously. This is the default and is simplest to administer. If you need to prevent access to your data from anonymous users or your directory does not support anonymous access, you can use a proxy user.
• Do you want to use TLS (Transport Layer Security) or SSL for secure communication between clients and Netscape/Red Hat Directory servers? LDAP-UX supports SSL or TLS with password as the credential, using either simple bind or DIGEST-MD5 authentication (DIGEST-MD5 is available for Netscape/Red Hat Directory Server only) to ensure confidentiality and data integrity between clients and servers. startTLS is a new extension operation of TLS protocol.
For the detailed information about AutoFS with LDAP support, see AutoFS Support (page 52). • What name services will you use? How will you set up /etc/nsswitch.conf? What order do you want NSS to try services? NSS is the Name Service Switch, providing naming services for user names, group names, and other information. You can configure NSS to use files, ldap, or NIS in any order and with different parameters. See /etc/nsswitch.ldap for an example nsswitch.conf file using files and ldap.
will not work on clients configured to use such a directory replica. See To Change Passwords (page 237) for how you can use ldappasswd(8) in this situation. Check the Release Notes for any other limitations and tell your users how they can work around them. 2.4 Install LDAP-UX Client Services on a Client Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on a client system. See the LDAP-UX Integration B.04.
2.5 Configure Your Directory This section describes how to configure your directory to work with LDAP-UX Client Services. Examples are given for Netscape Directory Server for HP-UX version 6.x. See the LDAP-UX Integration B.04.10 Release Notes for information on supported directories. If you have a different directory, see the documentation for your directory for details on how to configure it. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.
in the directory at ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify entries below ou=groups,ou=unix,o=hp.com: aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, o=hp.com");) 4. Grant read access of all attributes of the posix schema. Ensure all users have read access to the posix attributes.
• • • uid ipserviceport iphostnumber To index these entries with Netscape/Red Hat Directory Server, use the Console, Configuration tab, Indexes tab, Add Attributes button. 10. Determine if you need to support enumeration requests. If you do, increase the Look-Through limit, the Size limit, and the All-IDs-Threshold in the Directory Server. Enumeration requests are directory queries that request all of a database, for example all users or all groups.
2.6 Import Name Service Data into Your Directory The next step is to import your name service data into your LDAP Directory. Here are some considerations when planning this: • • If you have already imported data into your directory with the NIS/LDAP Gateway product, LDAP-UX Client Services can use that data and you can skip to Configure the LDAP-UX Client Services (page 31). If you are using NIS, the migration scripts take your NIS maps and generate LDIF files.
2.7 Configure the LDAP-UX Client Services Below is a summary of how to configure LDAP-UX Client Services with Netscape Directory Server 6.x. For a default configuration, see Quick Configuration (page 32). For a custom configuration, see Custom Configuration (page 35) for more information. NOTE: The setup program has only been certified with Netscape Directory Server 6.x, Red Hat Directory Server 7.x and Windows 2000/2003/2003 R2 Active Directory Sever. See the LDAP-UX Integration B.04.
• Optionally configure the authorization of one or more subgroups from a large repository such as an LDAP directory server. For the detailed information on how to set up the policy file, /etc/opt/ldapux/pam_authz.policy, see Policy File (page 97). After you configure your directory and the first client system, configuring additional client systems is simpler. Refer to Configure Subsequent Client Systems (page 63) for more information. 2.7.
Reply "yes" when asked do you still want to use the new automount schema. If you reply yes, it will take you to exit this program. You must re-run the setup program again to install the new automount schema after you exit this program and manually delete the obsolete automount schema. For detailed information on how to remove the obsolete automount schema, see Removing The Obsolete Automount Schema (page 55). If you reply no, setup skips to step 9 and the new automount schema will not be imported.
Table 2-1 Configuration Parameter Default Values (continued) Parameter Default Value Search time limit no limit Use of referrals Yes Profile TTL (Time To Live) 0 - infinite Use standard RFC-2307 object class attributes for supported services Yes Use default search descriptions for supported services Yes Authentication method Simple To change any of these default values, refer to Custom Configuration (page 35). 17.
2.7.2 Custom Configuration Running the Setup program for a quick configuration, as described above, configures your client using default values where possible. If you would like to customize these parameters, proceed as follows. If you want to use SSL or TLS, you must perform the following tasks before you run the custom configuration. See “Configure the LDAP-UX Client Services with SSL or TLS Support” (page 41) for details. • Ensure that you have installed the certificate database files, cert8.db or cert7.
4. Specify the host name and optional port number where your directory is running. If you choose to use TLS, the default directory port number is 389. If you choose to use SSL, the default directory port number is 636. For high availability, each LDAP-UX client can look for user and group information in up to three different directory servers. You are able to specify up to three directory hosts, to be searched in order. 5. 6. 7.
of these attributes to alternate attributes. Do you want to remap any of the standard RFC 2307 attributes? Enter “yes” if you want to remap attributes for any of the supported services. Then go to the “Remapping Attributes for Services” (page 38) section for details of the procedures. Otherwise, if you do not want to remap attributes for any of the supported services, then enter “no” to this prompt to continue to step 13 of the setup process. 12.
13. You will be asked whether or not you want to start the client daemon. For LDAP-UX Client B.03.20 or later versions, the client daemon must be started for LDAP-UX functions to work. With LDAP-UX Client B.30.10 or earlier, the client daemon is optional, and should be turned on in order to provide better prformance (response time) and for the X.500 group membership to work. 2.7.
1.automountMapName ->[nisMapname] 2.automountKey -> [cn] 3.automountInformation -> [automountInformation] Specify the attribute you want to map. [0]: If you want to specify the attribute to map to the automountInformation attribute , then type 3 for the following question and press the return key: Specify the attribute you want to map. [0]:3 8. Next, type the attribute nisMapEntry you want to map to the automountInformation attribute and press the return key: automountInformation -> nisMapEntry 9.
You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0 Attribute Mappings for X.500 Group Membership Support If you want to configure X.500 group membership support, you should remap the group member attribute to member or uniquemember instead of using the default attribute, memberuid. Perform the following steps for attribute mappings to set up X.500 group membership: 1.
2.8 Configure the LDAP-UX Client Services with SSL or TLS Support The LDAP-UX Client Services provides SSL (Secure Socket Layer) support to secure communication between LDAP clients and the LDAP directory server. An encrypted session is established on an encrypted port, 636.
NOTE: If you already have the certificate database files, cet7 or cert8.db and key3.db, on your client for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/cert7.db that points to cert7.db or /etc/opt/ldapux/cert8.db that points to cer8.db and /etc/opt/ldapux/key3.db that points to key3.db. You can Download the certificate database from the Netscape Communicator or Mozilla browser to set up the certificate database into your LDAP-UX Client. 2.8.3.
2.8.3.2 Steps to create database files using the certutil utility The following steps show you an example on how to create the security database files, cert8.db and key3.db on your client system using the certutil utility: 1. Retrieve the Base64-Encoded certificate from the certificate server and save it. For example, get the Base64-Encoded certificate from the certificate server and save it as the /tmp/mynew.cert file.
of the clients and servers can be validated. This section describes how to adjust this validation level. The peer_cert_policy parameter in the /etc/opt/ldapux/ldapux_client.conf configuration file is a string variable used to control the validation level. There are three valid options for this parameter described below: WEAK Performs no validation of SSL or TLS certificates.
• Select the first name component of the “Subject:” name. For example, if the “Subject:” string is “CN=ldapserver.example.com, O=Example Corp” then the name component would be “ldapserver.example.com". NOTE: Depending on how your certificate administrator manages your network, the above server certificate may not be found in your cert8.db file. Instead you may only find certificates for any trusted Certificate Authorities.
2.9 Configure LDAP-UX Client Services with Publickey Support LDAP-UX Client Services B.04.00 or later version supports discovery and management of publickeys in an LDAP directory. Both public and secret keys, used by the Secure RPC API can be stored in user and host entries in an LDAP directory server, using thenisKeyObject objectclass. Support for discovery of keys in an LDAP directory server is provided through the getpublickey() and getsecretkey() APIs.
• Use swinstall to install the software bundle: — swinstall -x autoreboot=true -s /tmp/ENHKEY_B.11.11.01_HP-UX_B.11.11_64_32.depot for HP-UX 11i v1 — swinstall -x autoreboot=true -x reinstall=false -s /tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.depot for HP-UX 11i v2 2.9.2 Extending the Publickey Schema into Your Directory The publickey schema is not loaded in the Netscape/Red Hat Directory Server. If you are installing LDAP-UX B.04.
2.9.4.1 Setting ACI for an Admin Proxy User With Netscape Directory Server 6.11 and 6.21, you can use the Netscape Console or ldapmodify to set up ACI, which gives an Admin Proxy user permissions to manage host and user keys in the LDAP directory.
2.9.4.2 Setting ACI for a User The default ACI of Netscape Directory Server 6.11 allows a user to change his own nispublickey and nissecretkey attributes. For Netscape Directory Server 6.21, you need to set up ACI which gives a user permission to change his own nissecretkey and nispublickey attributes. Use the Netscape Console or ldapmodify to set up ACI for a user.
can find the profile DN from PROFILE_ENTRY_DN in /etc/opt/ldapux/ ldapux_client.conf after you finish running the setup program. The following example edits the profile entry "cn=ldapuxprofile,dc=org,dc=hp,dc=com": For example: cd /opt/ldapux/bin ./ldapentry -m "cn=ldapuxprofile,dc=org,dc=hp,dc=com" After you enter the prompts for "Directory login:" and "password:", ldapentry will bring up an editor window with the profile entry. You can add the serviceAuthenticationMethod attribute.
serv-auth: keyserv:sasl/digest-md5 auth opts: username: uid realm: For subsequent LDAP-UX client systems that share the same profile configuration, use the following steps to download and activate the profile: 1. 2. Login as root. Go to /opt/ldapux/config: cd /opt/ldapux/config 3. Use /opt/ldapux/config/get_profile_entry to download the modified LDIF profile: ./get_profile_entry -s nss 4.
2.10 AutoFS Support AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them. If an automounted file system has been idle for a period of time, AutoFS unmounts it. AutoFS uses name services such as files, NIS or NIS+ to store and manage AutoFS maps. LDAP-UX Client Services B.04.00 supports the automount service under the AutoFS subsystem. This new feature allows users to store AutoFS maps in an LDAP directory server. . 2.10.
2.10.2.1.1 Schema The following shows the RFC 2307-bis automount schema in the LDIF format: objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' DESC 'Automount Map information' SUP top STRUCTURAL MUST automountMapName MAY description X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.
NOTE: If you use the nisObject automount map schema, do not use any keys that have capital letters and only differ from other keys by those capital letters.
2.10.2.3 Obsolete Automount Schema The obsolete automount schema is shipped with the Netscape Directory Server version 6.x. You must manually delete it before the setup program can successfully import the new automount schema into the LDAP directory server. 2.10.2.3.1 Removing The Obsolete Automount Schema Perform the following steps to delete the obsolete automount schema: 1. 2. Login to your Netscape Directory Server as root. Stop your Netscape Directory Server daemon, slapd.
Table 2-4 Attribute Mappings • New Automount Attribute nisObject Automount Attribute automountMapname nisMapname automountKey cn automountInformation nisMapEntry Change the automount search filter for the automount service to the nisObjectsearch filter. LDAP-UX Client Services uses the automount search filter for the automount service as a default. The search filter change can be done in step 12 of the Custom Configuration.
LDAP_BASEDN The base distinguished name of the LDAP directory that the AutoFS maps are to be placed in. DOM_ENV This only applies to the migrate_nisp_autofs.pl script. This variable defines the fully qualified name of the NIS+ domain where you want to migrate your data from. NIS_DOMAINNAME This only applies to the migrate_nis_automount.pl script. This variable specifies the fully qualified name of the NIS domain where you want to migrate your data from. This variable is optional.
dn:automountKey=/mnt_direct/lab1,\ automountMapname=auto_direct, dc=nishpind objectClass: top objectClass: automount automountInformation:hostA:/tmp automountKey: /mnt_direct/lab1 dn:automountKey=/mnt_direct/lab2,\ automountMapname=auto_direct, dc=nishpind objectClass: top objectClass: automount automountInformation:hostB:/tmp automountKey:/mnt_direct/lab2 You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/auto_direct.ldif that you just created above into the LDAP directory.
2.10.5.4 The migrate_nis_automount.pl Script This script, found in /opt/ldapux/migrate, migrates the AutoFS maps from the NIS server to LDIF. 2.10.5.4.1 Syntax scriptnameinputfileoutputfile 2.10.5.4.2 Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the /tmp/auto_indirect.ldif file: export LDAP_BASEDN="dc=nisserv1" export NIS_DOMAINNAME="cup.hp.com" migrate_nis_automount.pl /etc/auto_indirect /tmp/auto_indirect.
2.10.5.5 The migrate_nisp_autofs.pl Script This script, found in /opt/ldapux/migrate/nisplusmigration, migrates the AutoFS maps from the NIS+ server to the nisp_automap.ldif file. 2.10.5.5.1 Syntax scriptnameinputfile 2.10.5.5.2 Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the nisp_automap.ldif file: export LDAP_BASEDN="dc=nishpbnd" export DOM_ENV ="cup.hp.com" migrate_nisp_autofs.
2.11 Verify the LDAP-UX Client Services This section describes some simple ways you can verify the installation and configuration of your LDAP-UX Client Services. You may need to do more elaborate and detailed testing, especially if you have a large environment. If any of the following tests fail, see Troubleshooting (page 132). 1.
• logging in as a user that is a member of a -@netgroup to be sure that the user will not be allowed to login. If the pam_authz is configured with the pam_authz.policy file, verify the followings: • • 6. 7. logging into the client system with a user name that is covered by an allow access rule in the policy file. Make sure the user will be allowed to log in. logging in as a user that is covered by adeny access rule in the policy file. Make sure the user can not login to the client system.
2.12 Configure Subsequent Client Systems Once you have configured your directory and one client system, you can configure subsequent client systems using the following steps. Modify any of these files as needed. 1. 2. Use swinstall to install LDAP-UX Client Services on the client system. This does not require rebooting the client system. Copy the following files from a configured client to the client being configured: • /etc/opt/ldapux/ldapux_client.
2.13 Download the Profile Periodically Setup allows you to define a time interval after which the current profile is being automatically refreshed. The start time for this periodic refresh is defined by the time the setup program was run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific time of day when the profile should be downloaded (refreshed). For more detailed information, refer to the ldapclientd(1) man page.
rcommand su account required libpam_hpsec.so.1 su account sufficient libpam_unix.so.1 su account required libpam_ldap.so.1 dtlogin account required libpam_hpsec.so.1 dtlogin account sufficient libpam_unix.so.1 dtlogin account required libpam_ldap.so.1 dtaction account required libpam_hpsec.so.1 dtaction account sufficient libpam_unix.so.1 dtaction account required libpam_ldap.so.1 ftp account required libpam_hpsec.so.1 ftp account sufficient libpam_unix.so.1 ftp account required libpam_ldap.so.
3 LDAP Printer Configurator Support This chapter contains information describing how LDAP-UX supports the printer configurator, how to set up the printer schema, and how to configure the printer configurator to control its behaviors. This chapter contains the following sections: • Overview (page 67). • How the LDAP Printer Configurator works (page 68). • Printer Configuration Parameters (page 69). • Printer Schema (page 70). • Managing the LP printer configuration (page 70).
NOTE: The LDAP printer configurator only supports the HP LP spooler system, remote printers, network printers and printerservers that support Line Printer Daemon (LPD) protocol. It does not support local printers. 3.
NOTE: The system administrator manually adds or removes printers to the HP-UX system. The LDAP Printer Configurator will only add or remove printers that it has discovered in the LDAP directory according to the search filter defined for the printer. Figure 3-1 Printer Configurator Architecture 3.
3.4 Printer Schema The new printer schema, IETF, is used to create the printer objects that are relevant to the printer configurator services. The draft printer schema can be obtained from IETF web site at http://www.ietf.org. For the detailed structure information of the new printer schema, see Appendix C. You must import the new printer schema into the LDAP Directory Server to create new printer objects.
Engineering Lab printer-model: Hewlett Packard laserjet Model 2004N printer-service-person: David Lott Since the local printer name, remote hostname, remote printer name, and the printing protocol information are still the same, the LDAP Printer Configurator will not change the current remote LP printer configuration for laser2. Example 3: The system hostA.hp.com is retired. The Laserjet 2004 printer is now connected to system hostC and set up as a local LP printer lj2004.
• 72 In a global management envoriment, it is hard to determine a default printer for the individual client system. The LDAP printer configurator treats every printer entry as the regular printer. The administrator or user requires to manually select a printer as a default printer for the client system.
4 Dynamic Group Support This chapter contains information about how LDAP-UX Client Services supports dynamic groups, how to set up dynamic groups, and how to enable or disable dynamic group caches.
1. 2. Use the Directory Server Console to create a dynamic group. See the “Step1: Creating a Dynamic Group” section for details. Add the posixgroup objectclass and gidNumber attribute information to the dynamic group entry created in step 1. See the “Step 2: Adding POSIX Attributes to a Dynamic Group” for details. 4.2.1.1 Step 1: Creating a Dynamic Group You can use the Directory Server Console to create a dynamic group.
2. Use the ldapmodify tool to modify the existing entry with the LDIF file created in step 1. For example, the following command modifies the dynamic group entry in the LDAP directory server, ldaphost1, using the LDIF update file, new.ldif: ldapmodify —D “cn=Directory Manager" —w —h ldaphost1 —p 389 —f new.
4.2.2 Changing an HP-UX POSIX Static Group to a Dynamic Group To change an HP-UX POSIX static group to an HP-UX POSIX dynamic group, use the Directory Server Console to add the following objectclass and attribute information to the HP-UX POSIX static group: • • groupofurls objectclass memberURL attribute For detailed information on how to use the Directory Server Console to modify a group, refer to Red Hat Directory Server Administrator's Guide available at the following web site: http://docs.hp.
4.3 Specifying a Search Filter for a Dynamic Group Instead of using memberURL and groupofurls to specify dynamic groups, HP OpenView Select Access and HP-UX Select Access for IdMI define the following new attributes and objectclass to support dynamic groups: . • • • • • nxRole attribute nxSearchBaseDn attribute nxSearchFilter attribute nxSearchScope attribute nxRoleEntry objectclass 4.3.
nxSearchScope: sub nxSearchBaseDn: ou=Managing,dc=Example,dc=hp,dc=com nxRole: Austine Managers nxSearchFilter: (l=Austine) cn: AustMgrs gidNumber: 2000 NOTE: Unlike Netscape/Red Hat Directory dynamic groups, Select Access dynamic groups require non-standard objectclass and attributes. You cannot change existing POSIX static groups to Select Access POSIX dynamic groups without importing those objectclass and attributes. This procedure is not supported. 4.
uniqueMember: uid=user3,ou=people,dc=example,dc=hp,dc=com memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(uid=p*) When processing memberURL to retrieve dynamic members, LDAP-UX combines (objectclass=posixaccount) from passwd configuration with (uid=p*) as the search filter to search the tree of "dc=example,dc=hp,dc=com". With the above attribute mappings, LDAP-UX will return user1, user2, user3 and all users starting with "p" as group members. 4.4.
4.5 Number of Group Members Returned With dynamic membership support, as with regular (static) group membership support, the number of group members for a specific group returned by getgrnam()/getgrgid()/getgrent() on an HP-UX system is limited by internal buffer sizes. On HP-UX 11i v1 and v2 systems, the buffer size is 7296 bytes for 32bit applications and 10496 bytes for 64bit applications. This limitation is mainly impacted by the size of each member name.
4.7 Performance Impact for Dynamic Groups The dynamic group is specified by either an LDAP URL or a search filter. Depending on how you configure dynamic groups, potentially, there could be a lot of LDAP searches involved. In that case, the performance of those applications calling getgrnam(), getgrgid() or getgrent()(3C) (e.g. the command "id", "groups", etc) will be affected.
5 Administering LDAP-UX Client Services This chapter describes how to keep your clients running smoothly and expand your computing environment.
IMPORTANT: Starting with LDAP-UX Client Services B.03.20 or later, the client daemon, /opt/ ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or earlier, running the client daemon, ldapclientd, is optional. 5.1.2 ldapclientd 5.1.2.1 Starting the client Use the following syntax to start the client daemon. Note the use of upper and lower-case characters: /opt/ldapux/bin/ldapclientd <[-d ] [-o] [-z] 5.1.2.
5.1.2.5 Diagnostics By default, errors are logged into syslog if the system log is enabled in the LDAP-UX client startup configuration file /etc/opt/ldapux/ldapux_client.conf. Errors occuring before ldapclientd forks into a daemon process leaves an error message directly on the screen. The following diagnostic messages may be issued: Message: Already running. Meaning: An attempt was made to start an LDAP Client Daemon when one was already running.
section Each section is configured by setting=value information underneath. The section name must be enclosed by brackets ("[ ]") as delimiters. Valid section names are: - [StartOnBoot] - [general] - [passwd] - [group] - [dynamic_group] - [netgroup] - [uiddn] - [domain_pwd] - [domain_grp] - [automount] -[automountMap] - [printers] setting This will be different for each section. value Depending on the setting, this can be . 5.1.3.2.
cache_cleanup_time=<1-300> The interval, in seconds, between the times when ldapclientd identifies and cleans up stale cache entries. The default value is 10. update_ldapux_conf_time=<10-2147483647> This determines how often, in seconds, ldapclientd re-reads the /etc/opt/ldapux/ldapux_client.conf client configuration file to download new domain profiles. The default value is 600 (10 minutes).
The time, in seconds, before a cache entry expires from the positive cache. Since personal data can change frequently, this value is typically smaller than some others. The default value is 120 (2 minutes) negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 240 (4 minutes). [group] Cache settings for the group cache (which caches name, gid and membership information).
new entries are not cached until enough expired entries are freed to allow it. The default value is 100000000 (10M). NOTE: The cache_size option defined in the [general] section is used to configure for all other caches (passwdm netgroup, group, outomount, domain_pwd, domain_grp, uiddn). [netgroup] Cache settings for the netgroup cache. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled.
[domain_grp] This cache maps group names and GUIDs to the domain holding its entry. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. Since new domains are rarely added to or removed from the forest, the cache is typically valid for a long time. The default value is 86400 (24 hours).
[printers] Any printer setting defined here will be used by the LDAP printer configurator. start= Determines if the printer configurator service will start when ldapclientd is initialized. If it is enabled, the printer configurator will start when ldapclientd is initialized. By default, the start parameter is enabled. search_interval=<1800-1209600> Defines the interval, in seconds, before the printer configurator performs a printer search in the directory server.
The coexistence of LDAP-UX and Trusted Mode supports certain security features, but also has limitations and usage requirements that you need to be aware of. For detailed information, see Features and Limitations (page 92). 5.2.2 Features and Limitations This subsection describes features and limitations of integrating LDAP-UX with Trusted Mode. 5.2.2.
LDAP-based accounts. So, if the user eventually provides the correct password, he or she can login. 5.2.2.3 PAM Configuration File • • If you integrate LDAP-UX Client Services with the Netscape/Red Hat Directory Server, you must define the pam_ldaplibrary before the pam_unix library in the /etc/pam.conf file for all services. You must set the control flag for both pam_ldap and pam_unit libraries to required under session management. Refer to Sample /etc/pam.ldap.
5.3 PAM_AUTHZ Login Authorization The Pluggable Authentication Module (PAM) is an industry standard authentication framework that is supplied as an integrated part of the HP-UX system. PAM gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The PAM framework also allows new authentication service modules to be plugged in and made available without modifying the PAM enabled applications.
Figure 5-1 PAM_AUTHZ Environment The following describes the policy validation processed by PAM_AUTHZ for the user login authorization shown in figure 5-1:. PAM_AUTHZ Environment 1. The administrator defines a local policy file and saves all the defined access rules in the policy configuration file, /etc/opt/ldapux/pam_authz.policy. 2. PAM_AUTHZ service module receives an authorization request from PAM framework. It processes all the access rules stored in the /etc/opt/ldapux/pam_authz.policy file. 3.
5.3.3 PAM_AUTHZ Supports Security Policy Enforcement PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP directory server. This feature works with SSH (Secure Shell), r-commands with rhost enabled where authentication is not performed via PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.
5.3.4 Policy File The system administrator can define a local access policy and store all defined access rules in the policy file, /etc/opt/ldapux/pam_authz.policy. The PAM_AUTHZ service module uses this local policy file to process the access rules and to control the login authorization. LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/pam_authz.policy.template. This sample file shows you how to configure the policy file to work with PAM_AUTHZ.
5.3.5 Policy Validator PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the access rules defined in pam_authz.policy. It validates and determines the user's login authorization based on the user's login name and the information it retrieves from various name services. The result is then returned to the PAM framework. PAM_AUTHZ processes access rules in the order they are defined in the pam_authz.policy.
5.3.7 Constructing an Access Rule in pam_authz.policy In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule consists of three fields as follows: ::
Table 5-1 Field Syntax in an Access Rule (continued)
Rules that have one of these specified as the field are defining a static list access rule. For this rule, the
5.3.8 Static List Access Rule When the value in the field is one of unix_user, unix_group, netgroup, ldap_group, the rule is evaluated using a list of predefined values in the
ldap_group This option specifies that an access rule is based on the non-POSIXGroup membership. PAM_AUTHZ supports ldap group with groupOfNames or groupOfUniqueNamesobjectclass. A list of ldap_group names is specified in the
RHOSTIP Returns the IP address of the remote host system from which the user starts the PAM enabled application, such as telnet. RHOSTNAME Returns the name of the remote host system from which the user starts the PAM enabled application, such as telnet. 5.3.9.2 Examples The following shows a sample access rule in the pam_authz.policy file: allow:ldap_filter:(WorkstationIP=$[HOSTIP]) The above policy rule performs a security policy validation for users stored in the LDAP directory server.
5.3.10 Security Policy Enforcement with Secure Shell (SSH) or r-commands PAM_AUTHZ has a limited ability to perform account and password security policy enforcement without requiring LDAP-based authentication.
function_name This field defines the function name in the specified that PAM_AUTHZ uses to evaluate certain security policy settings with the login user. The following describes the valid entries for this field: • • check_rhds_policy: If this option is specified, PAM_AUTHZ evaluates all the necessary account and password policies settings, stored in the Netscape/Red Hat Directory Server, for the login user.
5.3.10.3 Configuring PAM Configuration File If you want to use PAM_AUTHZ to support enforcement of account and password policies, stored in the Netscape/Red Hat Directory Server, you must define the pam_authz library and the rcommand option in the /etc/pam.conf file for the sshd and rcomds services under the account management section. In addition, the control flag for the pam_authz library must be set to required. See Appendix D, “Sample /etc/pam.
5.3.10.6 Directory Server Security Policies Global Security Attributes In the Netscape/Red Hat Directory Server, there are a number of attributes used to define the security policies. In order to support account and password security policy enforcement, PAM_AUTHZ is enhanced to support the global administrative security attributes listed in the table below. These attributes are used to define the policy rules and are all defined under cn=config. Only authorized users can access them.
Table 5-3 Security Policy Status Attributes (continued) passwordExpirationTime This string attribute defines a date and time when a password is considered expired. The data and time are specified using the “Generalize Time” syntax as referenced in RFC 2252 and specified by the ISO x.208 standard. It uses the format YYYYMMDDHHMMSSTZ, where YYYY= 4 difit year, MM= 2 digit month, DD=2 digit day, HH=2 digit hour, MM=2 digit minute, SS=2 digit second and TZ=tme zone.
5.4 Adding One or More Users You can add one or more users to your system as follows: 1. Add the user's posixAccount entry to your LDAP directory. You can use your directory's administration tools, the ldapadd command, or the ldapentry tool to add a new user entry to your directory. If you are adding a large number of users, you could create a passwd file with those users and use the migration tools to add them to your directory.
5.5 Adding a Directory Replica Your LDAP directory contains configuration profiles downloaded by each client system and name service data accessed by each client system. As your environment grows, you may need to add a directory replica to your environment. LDAP-UX can take advantage of replica directory servers and the alternates if one of them fails. Follow these steps to inform LDAP-UX about multiple directory servers: 1. Create and configure your LDAP directory replica.
5.6 User and Group Management LDAP-UX Integration B.04.15 supports the new set of non-interactive LDAP command-line tools that allow you to list, add, modify or delete user accounts and groups in an LDAP directory server. These new tools provide capabilities to perform those operations without needing to discover the LDAP server information.
the LDAP-UX administrator credential is used if the user running the tool has sufficient privilege to read the /etc/opt/ldapux/acred file. • ldapuglist You can use the ldapuglist tool to display and enumerate POSIX-like account and group entries that reside in an LDAP directory server.
— — — — — Discover search filter, search base or search scope for a particular name service. Discover the attribute mapping information for a specified name service. Discover the list of available template files for a specific name service when you want to add a new user or group entry to an LDAP directory server. Discover LDAP-UX configuration information about required attributes when creating a new user or group entry.
/home/tscott gecos[cn]: Tom Scott gecos[l]: Building-12 gecos[telephoneNumber]: 555-555-6666 5.6.3 Listing Groups You can use ldapuglist to list and enumerate POSIX-like group entries in an LDAP directory server. Below are examples of how to use ldapuglist to display group entries. Run the following command to list all the posixGroup entries that Mike Phillips belongs to: cd /opt/ldapux/bin .
The ldapugadd tool uses a local configuration file, /etc/opt/ldapux/ldapug.conf, to manage the default values of the uidNumber_range, gidNumber_range, user_gidNumber, default_homeDirectory and default_loginShell parameters when creating user or group entries to an LDAP directory server. See “LDAP UG Tool Configuration File” (page 167) for details. 5.6.4.1 Examples of Adding a User You can use ldapugadd to add new POSIX accounts or groups to an LDAP directory server.
./ldapuglist -t passwd -n jsmart sn Below is the new user entry: dn: cn=John Smart,ou=people,dc=example,dc=com cn: John Smart uid: jsmart uidNumber: 2350 gidNumber: 200 homeDirectory: /home/jsmart loginShell: /usr/bin/ksh sn: Smart The following command adds an account entry for the user, tsheu, with the user's primary login group id, 350, and gecos field information. In this example, the gecos attribute has been mapped to cn, l and telephone in the LDAP-UX configuration profile.
options and must precede the = parameters (if provided). This option specifies arbitrary LDAP attributes and values. = parameters are optional and must be specified as the last parameters on the command line. = 5.6.4.2 Examples of Adding a Group Use the following command to add a new group entry for the group name, groupA. In this example, ldapugadd creates the new group, groupA, and defines initial group membership by adding the user account tsheu as a member. .
./ldapugadd -D -t passwd -d /net/home Command Arguments Applicable to -D The following describes arguments used in the above examples of the ldapugadd -D commands: -D Uses this option to change local host defaults in the /etc/opt/ldapux/ldapug.conf file which are used by ldapugadd when creating new user or group entries in an LDAP directory server. -u : Sets new default minimum and maximum ranges that ldapugadd uses when provisioning an UID number for new user entries.
Command Arguments The following describes arguments/options used in the above examples for the ldapugmod -t passwd commands: -PW Sets the user or group password attribute. If you specify -PW, you must specify either the LDAP-UGCRED environment variable or the -PP option. -A Specifies an attribute and value to be added to a user or group entry.
dn: cn=GroupC,ou=Group,dc=example,dc=com cn: GroupC gidNumber: 500 MemberUid: alouie Description: A IT Group Description: A Group Entry Description: Group C Entry The following command adds the three members, atam, mlou, mscott, to the group entry, groupA: ./ldapugmod -t group -a atam,mlou,mscott GroupA The following command removes one member, atam from the group entry, groupA: .
to specify a password for the LDAP user specified by LDAP_BINDDN. Alternately, you can input LDAP administrator bind identity and credential interactively with a prompt (-P) option. Run the following commands to specify the LDAP_BINDDN and LDAP_BINDCRED environment variables: export LDAP_BINDDN = "cn=Jane Admin,ou=admins,dc=exmple,dc=com" export LDAP_BINDCRED = "Jane's password" Run the following commands to delete the entire user account entry, skeith: cd /opt/ldapux/bin .
The following command checks to see if LDAP-UX is properly configured for the automount service: ./ldapcfinfo -t automount Assume that the automount service is not configured for LDAP-UX support, below is the output of the above command: WARNING: CFI_CONFIG_FAILURE: "automount" service not configured for LDAP-UX support 5.6.8.2 Listing Available Templates Use the ldapcfinfo -t -L command to display a list of available templates. The valid value can be passwd or group.
Below is the output of the above command for the passwd name service: uidNumber_range=100:20000 default_gidNumber=20 default_homeDirectory=/home default_loginShell=/usr/bin/sh Run the following command to display the LDAP default configuration values in the /etc/ opt/ldapux/ldapug.conf file for the group name service: ./ldapcfinfo -t group -D Below is the output of the above command: gidNumber_range=100:2000 5.6.8.
The following command displays the attribute mapping for the gecos attribute which has been mapped to cn, l and telephone attributes: ./ldapcfinfo -t passwd -m gecos The output of the above command is as follows: gecos=cn l telephoneNumber The following command displays the attribute mapping for the gecos and uidNumber attributes. In this example, gecos has been mapped to cn, l and telephone attributes, and uidNumber has been mapped to the employeeNumber attribute: .
5.7 Displaying the Proxy User's DN You can display the proxy user's distinguished name by running /opt/ldapux/config/ldap_proxy_config -p. The following command displays the current proxy user: ldap_proxy_config -p PROXY DN: uid=proxy,ou=people,o=hp.com 5.8 Verifying the Proxy User The proxy user information is stored encrypted in the file /etc/opt/ldapux/pcred.
5.11 Creating a New Profile To create a new profile, run /opt/ldapux/config/setup. When setup asks you for the distinguished name (DN) of the profile, give a DN that does not exist and setup will prompt you for the parameters to build a new profile. The setup program also configures the local client to use the new profile. Alternatively, you could use your directory administration tools to make a copy of an existing profile and modify it.
display_profile_cache Tool (page 141), The ldap_proxy_config Tool (page 142), and The get_profile_entry Tool (page 141) for more information. 5.15 Changing from Proxy Access to Anonymous Access If you are using proxy access and you want to change to using anonymous access, do the following: 1. 2. 3. Change the credentialLevel attribute in your profile to be "anonymous" using your directory administration tools, for example the Netscape/Red Hat Directory Console. Download the profile to the client.
5.16 Performance Considerations This section lists some performance considerations for LDAP-UX Client Services. See the white paper LDAP-UX Integration Performance and Tuning Guidelines at: http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration for additional performance information. 5.16.1 Minimizing Enumeration Requests Enumeration requests are directory queries that request all of a database, for example all users or all groups.
that does not exist, every time a user displays information about this file, using the ls command, a request to the directory server will be generated. The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount map information. ldapclientd also maintains a cache which maps user's accounts to LDAP DNs. This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for defining membership of an HP-UX group.
NOTE: The ldapclientd -f command will flush all caches. Refer to the man page ldapclientd (1M) for more information. It is possible to alter the caching lifetime values for each service listed above, in the /etc/opt/ldapux/ldapclientd.conf file. See below for additional information. It is also possible to enable or disable a cache using the -E or -D (respectively) options. These options may be useful in determining the effectiveness of caching or helpful in debugging. 5.17.
5.18 Troubleshooting This section describes troubleshooting techniques as well as problems you may encounter. 5.18.1 Enabling and Disabling LDAP-UX Logging When something is behaving incorrectly, enabling logging is one way to examine the events that occur to determine where the problem is. Enable LDAP-UX Client Services logging on a particular client as follows: 1. 2. Edit the local startup file /etc/opt/ldapux/ldapux_client.
kill -HUP 'cat /var/run/syslog.pid' 7. 8. Remove the "debug" options from /etc/pam.conf. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed and if any are unexpected. Look for lines containing "PAM_LDAP." TIP: Enable PAM logging only long enough to collect the data you need because logging can significantly reduce performance and generate large log files. You may want to move the existing log file and start with an empty file: mv /var/adm/syslog/debug.
• Make sure the client system can authenticate to the directory and find a user in the directory by searching for one of your user's information in the directory. Use the ldapsearch command and information from the current profile. If you are using a proxy user (determined by the credentialLevel attribute in the configuration profile), try searching for one of your user's information in the directory as the proxy user with a command like the following: cd /opt/ldapux/bin .
— — — memberuid homedirectory gecos 5.
6 Command and Tool Reference This chapter describes the commands and tools associated with the LDAP-UX Client Services. It includes the following sections: • • • • • • • “The LDAP-UX Client Services Components” (page 137) “Client Management Tools” (page 140) “LDAP User and Group Management Tools” (page 145) “LDAP Directory Tools” (page 196) “Schema Extension Utility” (page 202) “Name Service Migration Scripts” (page 230) “Unsupported Contributed Tools and Scripts” (page 233) 6.
Table 6-1 LDAP-UX Client Services Components (continued) Component Description /etc/opt/ldapux/ug_templates/ug_passwd_std.tmpl The default template files are used by ldapugadd to discover the required data models for a new user or group entry for a standard LDAP directory server. /etc/opt/ldapux/ug_templates/ug_group_std.tmpl /etc/opt/ldapux/ug_templates/ug_passwd_ads.tmpl /etc/opt/ldapux/ug_templates/ug_group_ads.
Table 6-2 LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i v1 PA machine Files Description /usr/lib/libldap_send.1 (32-bit ) LDAP -UX Client Services libraries. /usr/lib/libldap_util.1 (32-bit ) /usr/lib/libnss_ldap.1 (32-bit) /usr/lib/libldapci.1 (32-bit ) /usr/lib/libldap.1 (32-bit ) /usr/lib/security/libpam_ldap.1 (32-bit ) /usr/lib/security/libpam_authz.1 (32-bit) /usr/lib/pa20_64/libldap.1 (64-bit) /usr/lib/pa20_64/libldap_send.1 (64-bit ) /usr/lib/pa20_64/libnss_ldap.
6.2 Client Management Tools This section describes the following programs for managing client systems. display_profile_cache Displays the currently active profile. create_profile_entry Creates a new profile in the directory. get_profile_entry Downloads a profile from the directory to LDIF, and creates the profile cache. ldap_proxy_config Configures a proxy user.
6.2.3 The create_profile_schema Tool This tool, found in /opt/ldapux/config, extends the schema of a Netscape Directory Server 6.x with the DUAConfigProfile object class using the information you provide interactively. Typically you run the setup program instead of running this program directly. 6.2.3.1 Syntax create_profile_schema 6.2.4 The display_profile_cache Tool This tool, found in /opt/ldapux/config, displays information from a binary profile (cache) file.
6.2.6 The ldap_proxy_config Tool This tool, found in /opt/ldapux/config, configures a proxy user or an Admin Proxy user for the client accessing the directory. It stores the encrypted proxy user information in the file/etc/opt/ldapux/pcred. The encrypted Admin Proxy user information is stored in the file /etc/opt/ldapux/acred. If you are using only anonymous access, you do not need to use this tool. You must run this tool logged in as root. 6.2.6.
-h displays help on this command. With no options, ldap_proxy_config configures the proxy user as specified in the file /etc/opt/ldapux/pcred. For the proxy user, if you switch the authentication method between simple and DIGEST-MD5, you need to use the ldap_proxy_config -e command to delete /etc/opt/ldapux/pcred, then use the ldap_proxy_config -i command to reconfig the proxy user.
The following example configures the proxy user as uid=proxyuser,ou=special users,o=hp.com with the password prox12pw and creates or updates the file /etc/opt/ldapux/pcred with this information: ldap_proxy_config -d "uid=proxyuser,ou=special users,o=hp.
6.3 LDAP User and Group Management Tools The LDAP-UX Integration product supports the following new LDAP command-line tools which enable you to manage user accounts and groups in an LDAP directory server. These new tools exist in the /opt/ldapux/bin directory and perform their operations based on the LDAP-UX profile's configuration. Each tool provides command options that enable you to alter these configuration parameters.
environment variable, to indicate this variable has been set and is used for the current command. If attribute mapping for the userPassword attribute has not been defined or set to “*NULL*” in the LDAP-UX configuration profile, ldapugadd or ldapugmod creates new passwords using the userPassword attribute. See the -PW option of “The ldapugadd Tool” (page 158) or “The ldapugmod Tool” (page 175) for additional information.
Table 6-5 Common Return Codes (continued) BIND_PASSWORD_EXPIRED The bind Password has expired. BIND_INVALID_CRED The specified bind credential is invalid. BIND_ERR LDAP-UX failed to bind to the LDAP directory server. GET_PROXY_DECRYPT_FAILED Failed to decrypt proxy and credential information. MOD_LIMIT_REACHED There are too many modifications to perform. SSL_INIT_FAILED SSL initialization failed. LOAD_LIB_FAILED Failed to load the specific library.
Table 6-5 Common Return Codes (continued) 148 LOGIN_SHELL_DOESNOT_EXIST The specified login shell does not exist. HOMEDIR_DOESNOT_EXIST The specified home directory does not exist. LOGIN_SHELL_NOT_EXECUTE The specified login shell is not executable. ADD_GR_MEMBER_FAILED MemberUid is mapped to only dynamic group attributes, the add operation fails. ENTRY_NOT_FOUND The LDAP search returns no entries. EXPLODE_DN_FAILED Cannot convert the specified distinguished name (DN) to its component parts.
6.3.4 The ldapuglist Tool You can use the ldapuglist tool to display and enumerate POSIX-like account and group entries stored in an LDAP directory server, without requiring extensive knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server.
uidNumber: 520 When the -m option is specified, the output representing the uidNumber field is as follows: uidNumber[employeeNumber]: 520 The ldapuglist tool ignores the -m option if the -L option is specified. -L Displays output following /etc/passwd or /etc/group format.
mappings. If you do not specify the -t option, ldapuglist assumes the passwd type. For example, - t group. -h Specifies the host name and optional port number (hostname:port) of the LDAP directory server. This option overrides the server list configured in the LDAP-UX configuration profile. This field supports specification of IPv4 and IPv6 addresses. Note that when you specify a port for an IPv6 address, you must specify the IPv6 address in square-bracketed form.
As another example using memberUid, if memberUid has been mapped to member and memberUid. If the argument to -f is “(memberUid=jsmith)”, then the resulting search filter presented to the LDAP directory server is: (&(objectclass=posixGroup)(|(member= cn=Jane Smith,ou=people,ou=myorg,dc=com) (memberUid=jsmith))) NOTE: • When you use -f and any of the attributes specified in the search filter have been mapped to “*NULL*”, ldapuglist will return an error.
to determine if a search has returned complete results, because the directory server might have truncated the number of returned entries before reaching the requested maximum count. Although some LDAP directory servers indicate when a specified search exceeds an enumeration limit. If the limit is above the directory server's internal configured limit, it is not always possible to determine if all results have been returned.
When you specify the -t group option, ldapuglist displays the following fields for a group entry: • • • • cn userPassword gidNumber memberUid When you specify the -m option, the output format for both users and groups is changed to the following: dn: dn1 field1[attribute1]: value1 field2[attribute2]: value2 ... field3[attribute3]:: base64-encodeded-value3 6.3.4.
If the password is not available to ldapuglist, ldapuglist does not display the userPassword field. If you specify the -L option, the password field will contain the “x” character. 6.3.4.6 Specific Return Codes for ldapuglist The ldapuglist tool returns a list of return codes shown in Table 6-6. Table 6-6 Return Codes for ldapuglist Return Code Message LST_SEARCH_FAILED Search operation failed. LST_COMMANDLINE_ERR The parameter may not be used when the -L option is specified.
The following commands specify the LDAP_BINDDN and LDAP_BINDCRED environment variables: export LDAP_BINDDN = "cn=Jane Admin,ou=admins,dc=example,dc=com" export LDAP_BINDDN = "Jane_password" Run the following command to go to the /opt/ldapux/bin directory where ldapuglist resides: cd /opt/ldapux/bin Run the following command to display the account entry for the user name, ascott: .
Run the following command to list a group entry that does not require posixGroup attributes. This command uses ((cn=groupA)(objectclass=groupOfUniqueNames)) as the search filter: ./ldapuglist -t group -F “(&(cn=groupA)(objectclass=groupOfUniqueNames))” The output is as follows: dn: cn=groupA,ou=groups,dc=example,dc=com cn: groupA Run the following commands to unset the LDAP_BINDDN and LDAP_BINDCRED environment variables. unset LDAP_BINDDN unset LDAP_BINDCRED 6.
6.3.5 The ldapugadd Tool You can use the ldapugadd tool to add new POSIX accounts and groups to an LDAP directory server (as noted by the first and second syntaxes in “Synopsis” (page 159) below). You can use ldapugadd to modify the /etc/opt/ldapux/ldapug.conf file to set defaults for creation of new users or groups (as noted by the third syntax “Synopsis” (page 159) below).
For example, if the LDAP-UX configuration profile indicates the gecos attribute has been mapped to cn, l and telephoneNumber attributes, then when you specify the GECOS values separated by a comma for each mapped attribute in the ldapugadd command, the comma-separated list is parsed and each comma-separated component is placed in the cn, l and telephoneNumber attributes.
that you define either a valid directory server or CA certificate in the /etc/opt/ldapux/ cert8.db file. An error will occur if the TLS connection can not be established. -F Forces creation of new user or group entries even if the following error conditions occur: • The user name or group name already exists in the directory server. • The user ID or group ID number already exists in the directory server. • The shell specified with the -s option does not exist on the local system or is not an executable.
UG tool configuration file, /etc/opt/ldapux/ ldapug.conf. -u : Sets new default minimum and maximum ranges that ldapugadd uses when provisioning an UID number for newly created user entries. The UID range is inclusive of the specified end values. -g Specifies the default group ID number used when creating new user entries. To avoid ldapugadd from displaying warning messages, you must specify this group ID which represents a POSIX-style group stored in the LDAP directory.
-g Optional. Specifies the user's primary login group name or ID number. After creating the user entry, ldapugadd attempts to add the user as a member of the specified group using the ldapugmod -t group command. To support numeric group names, ldapugadd always attempts to resolve the specified argument as a group name (even if it is a numeric string).
-I Optional. Specifies GECOS fields for the user. Typically the GECOS argument contains the following four fields which represent (in order): • The user’s full name • The user’s work location • The user’s work telephone number • The user’s home telephone number (often omitted) You must separate each field in the argument by a comma.
If you do not specify this option, the description attribute is not added to the user entry. Because the field often contains white spaces, you must protect it from shell parsing by enclosing it in quote characters. For example: -c “example description” -T Optional. Specifies the LDIF template file to be used to create new user entries. The parameter may be a full or relative path name or a short name.
is used as a structural class for posixAccounts, then the sn (surname) attribute must be specified in order to properly create a new entry. This attribute needs to be defined in the template file, and attribute/value pair needs to be specified at the end of the ldapugadd command line. The= parameter is used to specify attributes required by the template file.
of the -F option is not recommended, and will not succeed if the directory server does not support the memberUid attribute. The ldapugadd tool follows the same membership syntax as defined by the LDAP_UX configuration profile attribute mapping. Specifically, if the LDAP-UX has mapped the RFC 2307 group membership attribute, memberUid, to a DN-based membership attribute such as member or uniqueMember, then ldapugadd defines membership using the DN of the specified user.
6.3.5.5 LDAP UG Tool Configuration File LDAP-UX supports a local configuration file, /etc/opt/ldapux/ldapug.conf. The ldapugadd tool uses the ldapug.conf file to manage the following default values when creating new user and group entries in an LDAP directory server: • • • • • A default group ID for new users. The valid UID number range for new users. The valid GID number range for new groups. The base path for a new user's home directory.
When specifying a short name, the file must exist under the /etc/opt/ldapux/ug_templates directory and must follow the format specified above. A short name is defined as the distinguishing portion of the template file name. For example, if you define the short name “operator” for the passwd service, the template file can be /etc/opt/ldapux/ug_templates/ ug_passwd_operator.tmpl. All LDAP-UX default template files are stored in the /etc/ opt/ldapux/ug_templates directory.
posixProfile Represents all RFC2307-type attributes and values for the particular name service (either passwd or group). If LDAP-UX configuration has defined attribute mapping for particular attributes, the mapped attributes are substituted in its place.
• • a ${} construct. Typically, you can use the cn or uid attribute in the RDN for new user entries and the cn attribute for new group entries. Define each template file for only one entry in the LDAP directory server. Each template file can be built using custom attributes and values. Customized attribute values are defined using the ${} construct.
the impact to the organization’s security policy when adding new identity information to that identity repository. 6.3.5.8 Specific Return Codes for ldapugadd The ldapugadd tool returns a list of return codes shown in Table 6-7. Table 6-7 Return Codes for ldapugadd Return Code Message ADD_USER_TO_GRP_FAILED Failed to add a user to the group. ADD_SKELDIR_DOESNOT_EXIST Specified Skeleton directory does not exist.
Table 6-7 Return Codes for ldapugadd (continued) ADD_FAIL_TO_UPDATE Failed to update the default value in /etc/opt/ ldapuux_ldapug.conf. ADD_FAILED The LDAP add operation failed. 6.3.5.9 Limitations The following are limitations of ldapugadd: • • Because LDAP directory servers require data to be stored according to the UTF-8 (RFC3629) character encoding method, all characters passed into ldapugadd are assumed to UTF-8, and part of the ISO-10646 character set.
mapped to cn, l and telephoneNumber in the LDAP-UX configuration profile. ldapugadd creates the password for new user, mscott, using the password specified in the LDAP_UGCRED environment variable. After creating the user entry, ldapugadd attempts to add this user as a member of the group number 200. ./ldapugadd -t passwd -PW -g 200 \ -I "Mike Scott,Building-3A,555-555-5555" mscott surname="Scott" Use the following command to display the new user entry, mscott, with mapped attribute information: .
./ldapugadd -D -t passwd -g 500 The following command sets the new default login shell in the local configuration file, /etc/ opt/ldapux/ldapug.conf. The ldapugadd tool uses this login shell when creating a new user entry in an LDAP directory server. .
6.3.6 The ldapugmod Tool The ldapugmod tool enables HP-UX administrators to modify existing POSIX accounts or groups in an LDAP directory server. When using extended options, you can use ldapugmod to modify arbitrary attributes for user or group entries or you can extend existing user or group entries with the POSIX data model. To use ldapugmod, you must provide LDAP administrator credentials that have sufficient privilege to perform the user or group modification operations in the LDAP directory server.
-ZZZ Requires a TLS connection to the LDAP directory server, even if the LDAP-UX configuration profile does not specify the use of TLS. Using the -ZZZ option requires that you define a valid directory server or a CA certificate in the /etc/opt/ldapux/ cert8.db file. An error occurs if the TLS connection cannot be established. -N Allows you to rename the Relative Distinguished Name (RDN) of an LDAP directory server.
must specify the IPv6 address in square-bracketed form. If you do not specify the optional port, the port number defaults to 389 or 636 for SSL connections (-Z ). -p Specifies the port number of the LDAP directory server to contact. The ldapugadd tool ignores this option if you specify the port number in the parameter as part of the -h option.
Is the same as: ldapugmod -t passwd olduid "uid=newuid" 6.3.6.3.1 Options Applicable to -t passwd The following is a list of valid options for -t passwd: Required. Specifies the POSIX style login name of the user entry to modify. You must specify the parameter unless you specify the -D option. This user name must conform to HP-UX login name requirements. Refer to man page passwd(4) for login name requirements. -f Replaces the user’s full name.
home directory does not exist or the user running ldapugmod does not have sufficient permissions to move the directory, ldapugmod returns an error. -I Replaces gecos fields for the user. If is an empty string, ldapugmod removes the gecos or mapped attribute(s).
6.3.6.3.2 Options Applicable to -t group The following is a list of valid options for -t group: Required. Specifies the POSIX style textual group name for the group entry to modify. You must specify the group name if you do not specify the -D option. This group name must conform to HP-UX group name requirements. Refer to man page group(4) for group name requirements. -g Replaces the group’s numeric ID number.
6.3.6.4 Warnings Under common usage, ldapugmod uses the LDAP replace operation when changing values of an attribute in an entry. This feature can impact attributes that have multiple values, by removing all occurrences of an attribute value and replacing it with the one specified on the ldapugmod command line. For example, if the -n argument is used to specify a new name for a posixGroup, all occurances of the cn attribute are replaced by the value specified for the -n argument.
dn: uid=slou,ou=people,dc=example,dc=com cn: Smith Lou cn: Smitta Lou uid: slou uidNumber: 2500 gidNumber: 120 homeDirectory: /home/slou loginShell: /usr/bin/ksh gecos: Smith Lou,San Jose,+1 555-510-5000 Perform the following ldapugmod command for the user entry, slou: ./ldapugmod -t passwd -R "cn=Smitta Lou" slou "cn=Smitty Lou" The above command removes the instance of Smitta Lou and replaces it with the value, Smitty Lou.
Table 6-8 Return Codes for ldapugmod (continued) MOD_DUP_REQUEST Duplicate modification requests are found in the command options. For example, ldapugmod -A "cn=Mike Lee" -A "cn=Mike Lee” mlee After running the above command, ldapugmod exits with the MOD_DUP_REQUEST error status because duplicate modification requests are specified. MOD_CONFLICT_REQUEST Conflict modification requests are found in the command options. MOD_RENAME_RDN_FAILED Rename entry's RDN failed.
Run the following command to go to the /opt/ldapux/bin directory where ldapugmod resides: cd /opt/ldapux/bin The following commands are used to change the password of the user, mlee, using the new user password defined in LDAP_UGCRED: export LDAP_UGCRED = "mlee's new Password" ./ldapugmod -t passwd -PW mlee The following command replaces the uidNumber value for the user entry, mMackey: ./ldapugmod -t passwd -u 300 mMackey The following command replaces the sn value for the user entry, mLou: .
6.3.7 The ldapugdel Tool Use the ldapugdel tool to remove POSIX-related user or group entries from an LDAP directory server. If you use ldapugdel with the -O option, ldapugdel removes the POSIX related attributes and object classes from user or group entries, without removing the entire entry itself. 6.3.7.1 Removing Attributes Only You can use ldapugdel to remove POSIX user and group entire entries from an LDAP directory server.
-y Uses this option only with the -O and -t passwd options. This option forces ldapugdel to remove the userPassword attribute from the user entry. HP does not recommend you to use the -y option when removing posixAccount related attributes. -Z Requires an SSL connection to the LDAP directory server, even if the LDAP-UX configuration does not require the use of SSL. Using the -Z option requires that either a valid directory server or a CA certificate is defined in the /etc/opt/ldapux/ cert8.db file.
the entry to be removed, such as (&(objectclass=posixAccount)(uid=name)). If more than one entry matches this search filter, only the first discovered entry is removed. You can specify only one of -D, or parameter on the command line. Specifies the name of the group entry that you want to delete. The ldapugdel tool uses the configured LDAP search filter to discover the entry to be removed, such as (&(objectclass=posixGroup)(cn=name)).
NOTE: Keep the following considerations in mind when using the -O option: • The ldapugdel tool does not support attribute mappings. For example, if the uidNumber attribute has been mapped to the employeeNumber attribute, ldapugdel will attempt to remove uidNumber attribute and not employeeNumber.
Table 6-9 Return Codes for ldapugdel Return Codes Message DEL_COMMANDLINE_ERR Invalid POSIX attributes. DEL_MULTIPLE_ENTRY_FOUND Multiple entries found that match the same name. Please use a DN to specify a specific entry. DEL_DELETE_FAILED The LDAP deletion operation failed. DEL_SEARCH_FAILED The LDAP search for subSchemaSubEntry, attributeTypes or objectClasses failed. DEL_PARSE_ERROR Unable to analyze LDAP directory server’s schema.
./ldapugdel -t passwd -h ldapsrvA:389 astein Run the following command to delete the entire user account entry, msmart: ./ldapugdel -t passwd msmart Run the following command to delete the entire group entry with the Distinguished Name, “cn=group1,ou=groups,dc=example,dc=com": .
6.3.8 The ldapcfinfo Tool Use the ldapcfinfo tool to discover LDAP-UX configuration information about the LDAP-UX product. The ldapcfinfo tool can also be used to discover the list of required attributes when creating new users or groups to an LDAP directory server. Non-interactive LDAP applications can use this tool to find LDAP-UX configuration details when adding new users or groups. The ldapcfinfo tool can also report if LDAP-UX is properly configured and active for the specified service. 6.3.8.
are a static known list and are required, only non-POSIX attributes are displayed. -T Specifies the LDIF template file to be used to create new user or group entries. The parameter can be either a full or relative path name or a short name. A short name is defined as the distinguishing portion of the template file name.
on the same line, separated by a white space. Attribute and objectclass names are case-insensitive. The [atobName] can be specified multiple times in a comma separated list. No white space should is allowed in the list. -a Displays the recommended list of attributes that an interactive management tool considers making available for modification for the specified entry. In order for this operation to function properly, you must specify the -t option with the-a option. -h Displays help text. 6.3.8.
Table 6-10 Return Codes for ldapcfinfo (continued) CFI_NOACRED LDAP-UX administrator credential file does not exist. CFI_NOACRED_PERM Insufficient permissions to read the LDAP-UX administrator credential file. CFI_ACRED_INVALID LDAP-UX administrator credential file contains invalid credentials. CFI_ACRED_GOOD LDAP-UX administrator credential file valid. CFI_NO_CF_CONFIG The /etc/opt/ldapux/ldapug.conf file is missing. CFI_READCONFIG Unable to read the /etc/opt/ldapux/ldapug.conf file.
The following command displays the LDAP-UX default search base for the group name service. In this example, “ou=Groups,” has been configured as the search base for the group name service. ./ldapcfinfo -t group -b The output of the command is as follows ou=Groups,ou=org,dc=example,dc=com The following command displays the location of the LDAP-UX configuration profile: ./ldapcfinfo -P The output of the command is as follows: dn: cn=ldapux-profile,ou=org,dc=example,dc=com host: 55.2.22.
6.4 LDAP Directory Tools This section briefly describes the ldapentry, ldappasswd, ldapsearch, ldapmodify and ldapdelete. For detailed information about ldapsearch, ldapmodify, and ldapdelete, refer to the Red Hat Directory Server for HP-UX Administrator's Guide available at http://docs.hp.com/en/ internet.html 6.4.1 ldapentry ldapentry is a script tool that simplifies the task of adding, modifying and deleting entries in a Directory Server.
6.4.1.1 Syntax ldapentry - [options] where -a Adds a new entry to the directory. -m Modifies an existing entry in the directory. -d Deletes an existing entry in the directory. options -f Forces command execution with warning override. -v Displays verbose information. -b Specifies the DN of the search/insert base which defines where ldapentry starts the search/insert for the entry. This option is optional if the LDAP_BASED variable is set.
NOTE: Although the ldapentry tool will allow the users to modify any information on the EDITOR window, the directory server has the final decision on accepting the modification. If the user makes an invalid LDIF syntax, violates the directory's schema or does not have the priviledge to perform the modificaiton, the ldapentry tool will report the error after the EDITOR window is closed when it tries to update the directory server with the information.
6.4.3 ldapsearch You use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. For detailed information, refer to the Red Hat Directory Server for HP-UX Configuration, Command, and File Reference available at the following web site: http://docs.hp.com/en/internet.html 6.
6.4.4 ldapmodify You use the ldapmodify command-line utility to add or modify entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and adds or modifies the entries based on the LDIF update statements contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do.
6.4.5 ldapdelete You use the ldapdelete command-line utility to delete entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, and deletes the entry or entries. For details, see the Red Hat Directory Server for HP-UX Administrator's Guide available at the following web site: http://docs.hp.com/en/internet.html 6.4.5.
6.5 Schema Extension Utility 6.5.1 Overview A directory schema is a collection of attribute type definitions, object class definitions and other information supported by a directory server. Schema controls the type of data that can be stored in a directory server. Although there are some recommended schemas that came originally from the X.500 standards, mostly for representing individuals and organizations, there is no universal schema standard in place for every possible application.
For this release of LDAP-UX Client Services, the setup tool has not been integrated with ldapschema. You will continue to use the setup tool to extend the Netscape/Red Hat Directory Server schema with printer, public key and automount schemas. For Windows Active Directory Server, you will continue to run the setup tool to extend the directory server with the automount schema. 6.5.2.
However, some directory servers (such as Windows Active Directory Server) do not provide a list of supported syntaxes and/or matching rules as part of the directory server schema search. To support Windows ADS, LDAP-UX provides the predefined LDAP directory server definition file, /etc/opt/ldapux/schema/schema-ads.xml, which contains a list of schema syntaxes that Windows Active Directory Server supports.
6.5.3 ldapschema — The Schema Extension Tool The ldapschema utility allows schema developers to define LDAP schemas using a universal XML syntax, greatly simplifying the ability to support different directory server variations. It can be used to query the current status of the LDAP schema on the LDAP directory server, as well as extend the LDAP directory server schema with new attribute types and object classes.
Table 6-12 Reserved LDAPv3 Directory Servers (continued) -V ds_version IBM Tivoli Directory Server ibm MAC OS X Directory Server mac Sun One Directory Server sun Computer Associates Directory Server ca iPlanet Directory Server iPlanet The version of the LDAP directory server. The strcasecmp() function compares the version specified by this –V option and the version defined in the XML files the ldapschema utility processes.
-D Specifies Distinguished Name (DN) of an administrator who has permissions to read and modify LDAP directory server schema. -j Specifies an administrator’s password in the file (for simple authentication). -w- Inputs an administrator’s password from the prompt (for simple authentication). -Z Establishes an SSL-encrypted connection. -ZZ Specifies StartTLS request. -ZZZ Enforces startTLS request (requires successful server response).
6.5.3.3 Environment Variables The ldapschema utility supports the following environment variables: LDAP_BINDDN The Distinguished Name (DN) of an administrator who has permissions to read and modify LDAP directory server schema. LDAP_BINCRED The password for the privileged LDAP directory user. LDAP_HOST The host name of the LDAP directory server. The LDAP_HOST variable uses the “hostname:port” format.
6.5.4 Schema Definition File The ldapschema utility queries and extends LDAP directory server based on the XML schema definition file. When using the ldapschema tool, the schema argument used with the -q or -e option must correspond to the XML file containing the appropriate schema definition. Several predefined files (such as rfc3712.xml, rfc2256.xml, etc...) are stored in the /etc/ opt/ldapux/schema directory. But the schema definition file can be stored in any directory with any file name.
6.5.4.1 A Sample RFC3712.xml File A sample rfc3712.xml file below defines two attribute types, printer-name and printer-aliases, followed by one object class, printerLPR, as specified in RFC3712: Line 1: Line 2:
6.5.4.2 Defining Attribute Types Each attribute type definition, enclosed by tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one attribute type name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
Optional, use if an attribute type requires indexing. At most one indexed flag can be specified. Optional, use to specify any directory-specific information about the attribute type. See “Defining Directory Specific Information” (page 215) section for details. 6.5.4.
6.5.4.4 Defining Object Classes Each object class definition, enclosed by the tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one object class name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
6.5.4.5 Object Class Definition Requirements To add the new schema to the LDAP directory server, each object class definition must meet the following requirements: • • • • • • • • • • The object class definition contains a tag with one numeric id value which adheres to RFC 2252 format specification. The object class definition has at least one tag with the object class name. Each name must adhere to RFC 2252 format specification.
6.5.5 Defining Directory Specific Information Attribute type and object class definitions can be extended with directory-specific information using the tag. This is useful to maintain a single schema definition file for different types and versions of LDAP directory servers. 6.5.5.
6.5.5.2 An Example of Defining Directory Specific Information in the Object Class Definition Directory specific information can be specified in the object class definitions as well as in optional and mandatory attributes. The following is an example of the object class definition with directory specific information using the tag and XML attributes, not and only: Line 1: Line 2: 1.23.456.7.89101112.1.314.1.51.
6.5.6 LDAP Directory Server Definition File In order to properly install new attribute types in an LDAP directory server schema, the ldapschema utility needs to determine whether the LDAP server supports the matching rules and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs an LDAP search for supported matching rules and syntaxes on the LDAP server. However, some types of directory servers do not provide this information as part of the search.
NOTE: Only LDAP syntaxes and matching rules fully supported by the LDAP directory server can be specified in this file. The vendor, versionGreaterOrEqual and versionLessThan attributes can be used to specify directory specific information. See the /etc/opt/ldapux/schema/schema-ads.xml file for an example of LDAP directory server definition files. 6.5.6.2 Defining Matching Rules Each tag can contain the following case-sensitive tags, in the order specified: Required.
6.5.7 Mapping Unsupported Matching Rules and LDAP Syntaxes If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them to alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ ldapux/schema/map-rules.xml file which defines a list of default substitution matching rules and syntaxes, and alternate matching rules and syntaxes.
try using the first specified equivalent or substitution syntax supported by the target LDAP directory server. The specified equivalent syntax of 2.5.5.5 syntax with the oMSyntax value of 22 is supported on windows ADS and will be used in place of the original syntax value. As another example, assume an attribute type with a Boolean equality rule is being installed on the LDAP server where this matching rule is not supported.
6.5.8 Return Values From ldapschema The ldapschema tool returns the following values: The operation is successful. 0 –1 The operation fails. In addition, ldapschema prints to STDOUT the overall status of the schema being queried or extended. Based on the schema status, any combination of the following messages is displayed. Detailed explanations of each message are specified in the square brackets following the message body text. 6.5.8.
If the SCHEMA_INVALID message is not displayed, the schema definition in the file is valid. It partially exists on the LDAP server schema, and can be extended with any remaining new valid attribute type and object class definitions.] SCHEMA_EXISTS No changes to the LDAP server schema are needed. All attribute types and object classes defined in the file are already part of the LDAP directory server schema.
elements defined in the file cannot be added to the LDAP server schema unless the force flag ("-F" option) is specified. [The SCHEMA_MISMATCH message indicates one or more attribute types or object classes defined in the file are already installed on the LDAP directory server, however, their definitions do not match.
ATTRIB_INVALID Attribute type definition is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the file.] ATTRIB_INVALID Attribute type “ ” has an invalid numericoid. Edit the schema definition file to specify an RFC 2252 compliant value for this attribute type.
attribute types, or if it is used as a mandatory or optional attribute in any object classes. Edit the file to correct this discrepancy. ATTRIB_UNRESOLVED Super-type used in "” attribute type definition is not defined in any LDAP schema. [This message indicates the super-type specified with the tag in the given attribute type definition is undefined. Edit the file to correct the name of the super- type in the attribute type definition.
numeric oid or name. If the ldapschema utility is executed in the extend mode, the given attribute type will not be added to the LDAP directory server schema. This message is displayed in verbose mode only.] ATTRIB_MISMATCH Definition of attribute type “” is incompatible with the definition already installed in the LDAP server schema. ATTRIB_REJECTED attribute type “” will not be added to the LDAP server schema because it is already part of the LDAP schema.
Edit the file to correct the name of the super-class in the object class definition. The super-class used in the object class definition must be defined either in the LDAP directory server schema or in the file before this object class can be installed.] OBJECT_UNRESOLVED Mandatory attribute used in the
schema/schema-ds_type.xml file, where ds_type corresponds to the same value specified with the -T option on the command line when executing the ldapschema utility.] RULE_INVALID Matching rule is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the /etc/opt/ldapux/schema/schema-ds_type.
SYNTAX_UNRESOLVED LDAP syntax "” used in the “” attribute type definition is not supported on the LDAP server. LDAP syntax “” will be used instead [This message indicates the specified syntax is not supported on the LDAP directory server. However, it was successfully mapped with a higher level (more inclusive) syntax supported by that server, , as specified in the /etc/ opt/ldapux/schema/map-rules.xml file.
6.6 Name Service Migration Scripts This section describes the shell and perl scripts that can migrate your name service data either from source files or NIS maps to your LDAP directory. These scripts are found in /opt/ldapux/migrate. The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your source files or NIS maps, while the perl scripts migrate_passwd.pl, migrate_group.pl, migrate_hosts.pl, and so forth, migrate individual maps. The shell scripts call the perl scripts.
NOTE: The scripts use ldapmodify to add entries to your directory. If you are starting with an empty directory, it may be faster for you to use ldif2db or ns-slapd ldif2db with the LDIF file. See the Netscape Directory Server Administrator's Guide for details on ldif2db and ns-slapd. 6.6.3 Migrating Individual Files The migration scripts shown below can be used to migrate the service data, groups, hosts, netgroup, services, protocols, rpc, passwd individually from each of your source files in /etc to LDIF.
6.6.3.2 Environment Variables When using the perl scripts to migrate individual files, you need to set the following environment variable: LDAP_BASEDN The base distinguished name where you want to put data in the LDAP directory. For example, the following command sets the base DN to "o=hp.com": export LDAP_BASEDN="o=hp.com" 6.6.3.
6.7 Unsupported Contributed Tools and Scripts This section describes contributed tools and scripts which are not officially supported by HP at the present time. 6.7.1 beq Search Tool The new beq tool expands the search capability beyond that currently offered by nsquery, which is limited to hosts, passwd, and group. This search utility bypasses the name service switch and queries the backend directly based on the specified library.
./beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 iuser1 2. An example beq command using user name adm as the search key, pwd (password) as the service, and files as the library on the 32 bit of an HP-UX 11i v1, v2 or v3 PA machine is shown below: ./beq -k n -s pwd -l /usr/lib/libnss_files.1 adm nss_status .............. NSS_SUCCESS pw_name...........(adm) pw_passwd.........(*) pw_uid............(4) pw_gid............(4) pw_age............() pw_comment........() pw_gecos..........() pw_dir............
6.7.2 certutil — Certificate Database Tool You can use the certutil command-line utility to create and modify the Netscape Communicator cert7.db and key3.db database files. This tool can also list, generate, modify, or delete certificates within the cert7.db file. You can also use this tool to create, change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.
7 User Tasks This chapter describes the following tasks your users will need to do: • To Change Passwords (page 237) • To Change Personal Information (page 238) 7.1 To Change Passwords With LDAP-UX Client Services, users change their password with the passwd(1) command.
Figure 7-2 Changing Passwords on Master Server with ldappasswd See ldappasswd (page 198) for details of this command. Figure 7-3 Sample passwd Command Wrapper #!/usr/bin/ksh # # You can put a default master LDAP server host name # here. Otherwise the local host is the default. # #LDAP_MASTER="masterHostName" if [[ "$1" != "" ]] then LDAP_MASTER="$1" fi if [[ "$LDAP_MASTER" = "" ]] then eval "$(sed -e "1,/Service: NSS/d" /etc/opt/ldapux/ldapux_client.
8 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. This chapter contains the following sections: • • Overview (page 239). The Mozilla LDAP C SDK File Components (page 239) briefly describes many of files that comprise the LDAP C SDK. 8.1 Overview The LDAP-UX Client Services provides the Mozilla LDAP C SDK 5.17.1 support.
Table 8-1 Mozilla LDAP C SDK File Components on the PA machine (continued) Files Description /usr/include/* Include files from LDAP C SDK /opt/ldapux/contrib/bin/certutil Unsupported command tool that creates and modifies the certificate database files, cert8.db and key3.db. /opt/ldapux/contrib/ldapsdk/examples Unsupported Netscape LDAP C SDK examples. /opt/ldapux/contrib/ldapsdk/source.tar.gz Mozilla LDAP C SDK source (for license compliance).
Table 8-2 Mozilla LDAP C SDK File Components on the IA machine Files Description /usr/lib/hpux32/libldap.so (32-bit ) /usr/lib/hpux64/libldap.so (64-bit ) Main LDAP C SDK API libraries that link to the /opt/ldapux/lib libraries. /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) LDAP C SDK dependency libraries. /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.
Table 8-3 Mozilla LDAP C SDK API Header Files Header Files Description /usr/include/ldap.h Main LDAP functions, structures and defines. /usr/include/ldap-extension.h Support for LDAP v3 extended operations, controls and other server specific features. This file must be included in source code that uses LDAP v3 extended operations or controls. /usr/include/ldap_ssl.h Support for creation of SSL connections. This file must be included in source code that requires SSL connections.
A Configuration Worksheet Use this worksheet to help you configure LDAP-UX Client Services. See Installing And Configuring LDAP-UX Client Services (page 19) for details.
B LDAP-UX Client Services Object Classes This Appendix describes the object classes LDAP-UX Client Services uses for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: 1. posixDUAProfile 2. posixNamingProfile With release B.03.00, the posixDUAProfile and posixNamingProfile objectlcasses have been replaced by a single STRUCTURAL objectclass DUAConfigProfile. In addition, four new attributes are added.
defaultSearchBase defaultServerList followReferrals preferredServerList profileTTL searchTimeLimit serviceSearchDescriptor or "proxy anonymous". "proxy" means use the configured proxy user. "anonymous" means use anonymous access. "proxy anonymous" means use the configured proxy user and if that fails, bind anonymously. If this attribute has no value, "anonymous" is the default. is the base DN where clients can find name service information, for example ou=hpusers,o=hp.com.
C Sample /etc/pam.ldap.trusted file This Appendix provides the sample PAM configuration file, /etc/pam.ldap.trusted, used as the /etc/pam.conf file to support the coexistence of LDAP-UX and Trusted Mode. This /etc/pam.ldap.trusted file must be used as the /etc/pam.conf file if your directory server is the Netscape/Red Hat Directory Server and your LDAP client is in the Trusted Mode. If your system is in a standard mode, you still need to use the/etc/pam.ldapfile as the /etc/ pam.conffile.
# # # # # see pam.conf(4) for more details # # # # NOTE: This pam.conf file is recommended only if you convert # # your system to a Trusted System. If your system is in the # # Standard Mode, use the pam.ldap file as an example. # # # # NOTE: If the path to a library is not absolute, it is assumed# # to be relative to the directory /usr/lib/security/$ISA. # # The "$ISA (i.
D Sample /etc/pam.conf File for Security Policy Enforcement This Appendix provides the sample PAM configuration file, /etc/pam.conf file to support account and password policy enforcement. In the /etc/pam.conf file, the pam_authz library must be configured for the sshd and rcommds services under account management role. The following is a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v1 system: # # PAM configuration # # This pam.conf file is intended as an example only.
# the format for a entry is # # # # # # see pam.conf (4) for more details # # # ################################################################ # # Authentication management # login auth required libpam_hpsec.so.1 login auth sufficient libpam_unix.so.1 login auth required libpam_ldap.so.1 try_first_pass su auth required libpam_hpsec.so.1 su auth sufficient libpam_unix.so.1 su auth required libpam_ldap.so.
Glossary See also the Glossary in the Netscape Directory Server for HP-UX Administrator's Guide available at http://docs.hp.com/hpux/internet. Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction. Configuration profile An entry in an LDAP directory containing information common to many clients, that allows clients to access user, group and other information in the directory.
ypldapd The NIS/LDAP Gateway daemon, part of the NIS/LDAP Gateway subproduct. ypldapd replaces the NIS ypserv daemon by accepting NIS client requests and getting the requested information from an LDAP directory rather than from NIS maps. See Installing and Administering NIS/LDAP Gateway at http://docs.hp.
Index Symbols /etc/group, 21, 27 /etc/nsswitch.conf, 25, 31 /etc/nsswitch.ldap, 25, 137 /etc/pam.conf, 31 /etc/pam.
groups, 16, 129 H homedirectory, 27, 134 I id, 16 IETF, 27, 251 import data into directory, 30, 230 improving performance, 129 index directory entries, 28 installation, 26 planning, 21 summary, 20 L LDAP, 251 LDAP directory, 15, 19 LDAP UG Tool configuration file, 167 ldap_proxy_config program, 128, 142 ldapdelete program, 42, 201, 235 ldapentry, 196 ldapmodify program, 200, 238 ldappasswd program, 198, 237 ldapsearch program, 199 ldapugadd, 112, 158 ldapugdel, 185 ldapuglist, 112, 149 ldapugmod, 112, 17
remap posix attributes, 21 remsh, 16 replica, 237 replica directory, 111 RFC 2307 posix schema, 21, 27, 251 rlogin, 16 root login, 21, 22 userpassword, 27 users, 25 S white paper, directory configuration, 19, 27, 29, 129 who, 16 whoami, 16 worksheet, configuration, 19, 243 schema, posix, RFC 2307, 21, 27, 32, 251 search time limit, 36 searchTimeLimit, 246 serviceSearchDescriptor, 246 setup program, 20, 32, 127, 137, 240, 241, 242 slapd-v3.nis.conf, 27 SSH (Secure Shell), 105 start-up file ldapux_client.
