LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

241

242

243

244

245

246

247

248

249

250

B LDAP-UX Client Services Object Classes

This Appendix describes the object classes LDAP-UX Client Services uses for configuration

profiles.

In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles:

1. posixDUAProfile

2. posixNamingProfile

With release B.03.00, the posixDUAProfile and posixNamingProfile objectlcasses have been

replaced by a single STRUCTURAL objectclass DUAConfigProfile.

In addition, four new attributes are added. These changes are to reflect the definition shown in

the most current IETF draft "A Configuration Schema for LDAP Based Directory User Agents"

(in the document file titled, draft-joslin-config-schema-07.txt). This allows LDAP-UX to integrate

with configuration profiles that are supported by other vendors.

The object class DUAConfigProfile is defined as follows:

objectclass DUAConfigProfile

superior top requires cn allows

authenticationMethod, attributeMap, bindTimeLimit,

credentialLevel, defaultSearchBase,

defaultSearchScope, defaultServerList, followReferrals,

objectclassMap, preferredServerList,

profileTTL, searchTimeLimit, serviceAuthenticationMethod,

serviceCredentialLevel, servicesearchDescriptor

B.1 Profile Attributes

The attributes of DUAConfigProfile is defined as follows:

is the common name of the profile entry.

attributeMap

is a mapping from RFC 2307 attributes to alternate attributes.

Use this if your entries do not conform to RFC 2307. Each

entry consists of: Service:Attribute=Altattribute

where Service is one of the supported services: passwd,

group, shadow, pam, networks, hosts, protocols, services,

rpc, or netgroup. Attribute is an attribute of the service

as defined by RFC 2307. Altattribute is the attribute that

should be used instead of the standard attribute.

For example, pam:userPassword=ntUserPassword maps the

userPassword attribute to ntUserPassword for the pam

service. passwd:uidnumber=employeeNumber maps the

uidnumber attribute to employeeNumber for the passwd

service.

NOTE: The userPassword attribute is mapped to *NULL*

to prevent passwords from being returned for increased

security and to prevent PAM_UNIX from authenticating

users in the LDAP directory. Mapping to *NULL* or any

other nonexistent attribute means do not return anything.

authenticationMethod

is how the client binds to the directory. The value can be

"simple" indicating bind using a user name and password.

If this attribute has no value, "simple" is the default.

bindTimeLimit

is how long, in seconds, the client should wait to bind before

aborting. 0 (zero) means no time limit. If this attribute has

no value, the default is no time limit.

credentialLevel

is the identity clients use when binding to the directory. The

value must be one of the following: "proxy", "anonymous",

B.1 Profile Attributes 245