LDAP-UX Client Services B.04.
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Preface..............................................................................................................................15 About This Document...........................................................................................................................15 Intended Audience..........................................................................................................................15 New and Changed Documentation in This Edition..........................
3 Active Directory Multiple Domains.............................................................................57 Domain Term Definitions.....................................................................................................................57 Multiple Domains............................................................................................................................57 Local Domains..................................................................................................
Printer Attributes.............................................................................................................................76 Default Printer Attributes..........................................................................................................76 Printer Attribute Mappings........................................................................................................76 Managing the LP printer configuration.............................................................
Changing Authentication methods...............................................................................................105 PAM_AUTHZ Login Authorization ..................................................................................................106 Policy And Access Rules................................................................................................................106 How Login Authorization Works..................................................................................
Changing Which Profile a Client is Using..........................................................................................142 Creating an /etc/krb5.keytab File........................................................................................................142 Considering Performance Impacts......................................................................................................143 Enumeration Requests................................................................................
The ldapuglist Tool........................................................................................................................175 Synopsis ...................................................................................................................................175 Options.....................................................................................................................................175 Arguments........................................................................
Examples..................................................................................................................................222 LDAP Directory Tools.........................................................................................................................225 ldappasswd....................................................................................................................................225 Syntax.........................................................................
Environment Variables.............................................................................................................258 General Syntax for Perl Migration Scripts................................................................................258 Examples..................................................................................................................................258 Unsupported Contributed Tools and Scripts......................................................................
List of Figures 1-1 1-2 1-3 1-4 2-1 2-2 5-1 7-1 7-2 A Simplified NIS Environment.....................................................................................................19 A Simplified LDAP-UX Client Services Environment..................................................................20 HP-UX Client Login Sequence with Windows 2000 (SFU 2.0)......................................................21 The Local Start-up File and the Configuration Profile.............................................
List of Tables 1 Publishing History Details.................................................................................................................16 1-1 Examples of Commands that use PAM and NSS..........................................................................21 4-1 Migration Scripts...........................................................................................................................68 5-1 Attribute Mappings..............................................................
Preface About This Document This document describes the installation and administration tasks of LDAP-UX Client Services with Microsoft Windows 2000, 2003 or 2003 R2 Active Directory. Intended Audience This document is intended for system and network administrators responsible for installing, configuring, and managing LDAP-UX Client Services with Microsoft Windows 2000, 2003 or 2003 R2 Active Directory Server.
KeyCap Emphasis Bold Bold ComputerOut UserInput Command Variable [] {} ... | The name of a keyboard key. Note that Return and Enter both refer to the same key. Text that is emphasized. Text that is strongly emphasized. The defined use of an important word or phrase. Text displayed by the computer. Commands and other text that you type. A command name or qualified command phrase.
Table 1 Publishing History Details (continued) Document Manufacturing Part Number Supported Operating Systems Supported Product Versions Publication Date J4269-90041 11.0, 11i v1 and v2 B.03.30 September 2004 J4269-90049 11i v1 and v2 B.04.00 July 2005 J4269-90064 11i v1 and v2 B.04.10 December 2006 J4269–90074 11i v1, v2, and v3 B.04.10 April 2007 J4269-90076 11i v1, v2 and v3 B.04.15 August 2007 J4269-90084 11i v1, v2 and v3 B.04.
1 Introduction LDAP-UX Client Services simplifies HP-UX system administration by consolidating account and configuration information into a central LDAP directory. This LDAP directory can reside on an HP-UX system, such as Netscape Directory Server 6.x and Red hat Directory Server 7.0/7.1, or the account information could be integrated into Microsoft Windows 2000, 2003 or 2003 R2 Active Directory.
Figure 1-2 A Simplified LDAP-UX Client Services Environment Active Directory Domain Controller Replicates Active Directory Domain Controller Replicates LDAP Requests LDAP-UX client LDAP-UX client LDAP-UX Client Services for Microsoft Windows 2000, 2003 or 2003 R2 Active Directory supports the passwd and group name service data. Refer to the LDAP-UX Integration B.04.10 Release Notes for any additional supported services.
Figure 1-3 HP-UX Client Login Sequence with Windows 2000 (SFU 2.0) HP-UX Client Windows 2000 Server Login PAM Library PAM Kerberos Kerberos Services Active Directory NSS Engine msSFUName: bobj NSS_ LDAP cn: Bob Jolly msSFUHomeDirectory:/home/bobj uidnumbr: 208 gidnumbr: 20 loginshell: /usr/bin/ksh With LDAP-UX Client Services, HP-UX commands and subsystems can transparently access name service information from the Active Directory through PAM and NSS.
1 2 nsquery(1) is a contributed tool included with the ONC/NFS product. These commands enumerate the entire passwd or group database, which may reduce network and directory server performance for large databases. After you install and configure the Active Directory and migrate your name service data into it, HP-UX client systems locate the directory from a start-up file. The start-up file tells the client system how to download a configuration profile from the Active Directory.
2 Installing LDAP-UX Client Services This section describes the decisions you need to make and the steps to install and configure LDAP-UX Client Services.
7. Run the setup program to configure LDAP-UX Client Services on a client system. Setup does the following for you: • Extends your Active Directory schema with the configuration profile schema, if not already done. • Creates a start-up file on the client. This enables each client to download the configuration profile. • Creates a configuration profile of directory access information in the directory, to be shared by a group of (or possibly all) clients.
The specific number of domain controllers necessary in your network depends on the network size and configuration. A minimum of two Active Directory domain controllers are recommended for each domain. For more information, refer to the Active Directory documentation, or to http://www.microsoft.com/Windows2000 and http://windowsupdate.microsoft.com.
For information about importing information into the directory, refer to “Importing Name Service Data into Your Directory” (page 35). For information on migration scripts, refer to “Command, Tool, Schema Extension Utility, and Migration Script Reference” (page 163). CAUTION: If a root login is placed in the Active Directory, that user and password will be able to log in as root to any client using LDAP-UX Client Services.
Figure 2-2 Example Directory Structure for Multiple Domains DC=cup, DC=hp, DC=com CN=Configuration profile data CN=Users user data group data DC=,DC=cup,DC=hp, DC=com DC=,DC=cup, CN=Configuration CN=Configuration profile data CN=Users user group data data DC=hp, DC=com CN=Users user group data data profile data NOTE: By default, the CN=configuration, DC=cup, DC=hp, DC=com configuration container only exists in the root domain.
• What authentication method will you use when you choose to enable TLS? You have a choice between SIMPLE (the default), or SASL GSSAPI with TLS. LDAP-UX Client Services includes support for the SASL Generic Security Services Application Programming Interface (GSSAPI) authentication method using Kerberos v5. Currently, Kerberos v5 is the only security mechanism that is implemented to work with GSSAPI.
with LDAP-UX Client Services B.04.00, pam_authz has been enhanced to allow system administrators to configure and customize their local access rules in a local policy file, /etc/opt/ldapux/pam_authz.policy. pam_authz uses these access control rules defined in the local policy file to control the login authorization. Because pam_authz doesn't provide authentication, it doesn't verify if a user account exists. If the /etc/opt/ldapux/pam_authz.
Installing LDAP-UX Client Services on a Client These are the major steps required to install LDAP-UX Client Services on a client: 1. Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproducts, on a client system. See the LDAP-UX Integration Release Notes for any last-minute changes to this procedure. You don't need to reboot your system after installing the product. NOTE: For LDAP-UX Cleint Services B.03.
The Active Directory must be installed separately after the Windows 2003 Server installation has been completed on your computer. Use the following steps to install the Acitve Directory Server on the Windows 2003: 1. 2. 3. 4. The Prelimary Steps screen is displayed, select Configure Your Server Wizard. The Server Role screen is displayed, select Domain Controller (Active Directory), then click Next buttom. Install any additional Administrative tools required for you to manage Active Directory.
CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com CAUTION: Make sure the proxy user is a member of the Domain Users group, which allows read access only, and not the Administrator group to protect Active Directory entries from malicious modifications. A proxy user's access right to objects in an Active Directory depends on what default permissions Active Directory has been configured with during installation.
You are prompted to select permissions. Select Property-specific and the following permissions: ◦ ◦ ◦ Read msSFU30GidNumber Read msSFU30MemberUid Read msSFU30Name then click Next For R2's RFC2307: You are prompted to select permissions. Select Property-specific and the following permissions: ◦ ◦ Read gidNumber Read memberUid then click Next 10. You are given the screen which confirms your configuration, click on "finish" if everything is correct, otherwise, click "Back" to change. 11.
The proxy user needs to have access right to read passwd and group information in multiple domains. Step 4: Add an HP-UX Client Machine Account to Active Directory Use the Active Directory Users and Computer tool to create a user account for your HP-UX host. • If you are using ADS multiple domains: add a host account for HP-UX client machine to every domain you want to access.
Importing Name Service Data into Your Directory The next step is to import your user, group, and other services data into your Active Directory. When planning to import your data, consider the following: • • If you have already imported data into your Active directory with the SFU 2.0 Server for NIS migration tool, LDAP-UX Client Services can use that data and you can skip to “Configuring LDAP-UX Client Services” (page 36).
Configuring LDAP-UX Client Services To configure the LDAP-UX Client Services, complete the steps in this section. If you attempt to enable SSL or TLS support with LDAP-UX, you must configure the LDAP directory server to support SSL or TLS and install the security database (cert7.db or cert8.db and key3.db) on your client before you run the setup program. For SSL or TLS setup details, refer to “Configuring the LDAP-UX Client Services with SSL or TLS Support” (page 49).
The setup program asks you a series of questions and usually provides default answers. Press the Enter key to accept the default, or change the value and press the Enter key. At any point during setup, press the Control-b keys to return to the previous screen or press the Control-c keys to exit setup. 2. 3. 4. 5. Choose Windows 2000, 2003 or 2003 R2 as your LDAP directory server (option 2).
12. Next, it will prompt you for selecting the authentication method for users to bind/authenticate to the server. You need to choose the authentication method from one of the following prompts based on your selection in step 11: • For TLS, you have a choice between SIMPLE (the default), or SASL GSSAPI if you choose to not enable TLS. However, you have a choice between SIMPLE with TLS (the default), or SASL GSSAPI with TLS if you choose to enable TLS. Skip to step 13.
22. Enter the Profile Time To Live (TTL) value. This value defines the time interval between automatic downloads (refreshes) of new configuration profiles from the directory. Automatic refreshing ensures that the client is always configured using the newest configuration profile. If you want to disable automatic refresh or manually control when the refresh occurs, enter a value of 0. Refer to “Downloading the Profile Periodically” (page 55) 23.
NOTE: The default search base DN for all requests will be set to the previously specified default search base DN (specified in step 12), usually the domain root. For very large databases, search performance can be greatly increased by specifying custom search descriptors. For example, to search user and group information, set the search base DN for the user and group services to CN=Users, DC=cup, DC=hp, DC=com.
Search filter [(objectclass=printerlpr)]: (objectclass=printQueue) 25. Enter Yes to the question Are you ready to create the Profile Entry?, then press any key to continue. 26. At this point, you will choose whether or not to configure for Multiple Domains.
Remapping Attributes for Services This section describes detailed procedures on how to perform attribute mappings for dynamic group, LDAP printer configurator and X.500 group membership services. Attribute Mappings for LDAP Printer Configurator Support The default printer attributes, printer-name and printer-uri, are not defined in the Windows Active Directory Server. You need to define the alternate printer attributes and map them to printer-name and printer-uri respectively.
You type 0 to exit this menu for the following question: Specify the attribute you want to map. [0]:0 Attribute Mappings for Dynamic Group Support To enable dynamic group support, you must remap the default group member attribute, memberuid, to msDS-AzLDAPQuery (for Windows Active Directory Server). For detailed information about dynamic group support, see “Dynamic Group Support” (page 81).
1. Type yes for the following question: Do you want to remap any of the startdard RFC 2307 attributes? [yes]: yes 2. Select the group service by entering 3 for the following question and press the return key: Specify the service you want to map? [0]: 3 3. Enter 3 for the following question and press the return key: Specify the attribute you want to map? [0]: 3 4. Enter the attributes you want to map to the member attribute: [memberuid]: member NOTE: LDAP-UX supports DN-based (X.
Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos 1. Create /etc/krb5.conf, the Kerberos configuration file which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm's KDC. The following is an example of /etc/krb5.conf which has the realm CUP.HP.COM, and machine myhost.cup.hp.comas KDC: default_realm = CUP.HP.
NOTE: 5. 6. The keytab file should only be readable by the root user. Synchronize the HP-UX clock to the Windows 2000 or 2003 clock. These must be synchronized within two minutes. You can run Network Time Synchronizer to synchronize both clocks. If the tool is not available, you can manually synchronize them by setting "Date/Time Properties" on Windows 2000 or 2003 and running /etc/set_parms date_time on HP-UX. Configure /etc/pam.
1. Use the nsquery(1) command to test the name service: nsquery lookup_type lookup_query [lookup_policy] For example, to test the name service switch to resolve a username lookup, enter: nsquery passwd username ldap where usernameis the login name of a valid user whose POSIX account information is in the directory. You should see output something like the following depending on how you have configured /etc/nsswitch.conf: Using "ldap" for the passwd policy.
pw_audid..........(0) pw_audflg.........(0) Use the following beq command if you run on 64 bit of an HP-UX 11i v2 or v3 IA machine: ./beq -k n -s pwd -l /usr/lib/hpux64/libnss_ldap.so.1 iuser1 Use the following beq command if you run on 32 bit of an HP-UX 11i v2 or v3 IA machine: ./beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 iuser1 Refer to "beq Search Tool" in “Command, Tool, Schema Extension Utility, and Migration Script Reference” (page 163) for command syntax and examples. 5. 6.
a. b. Create or import a POSIX user account into an ADS remote domain (for example, the user account smith, this is identical to how you set it up for a single domain, except now you put it into a remote domain). If pwget -n smith returns valid data, LDAP-UX is working with ADS multiple domains. If no data was returned, the setup was not successful.
TLS Support Starting with LDAP-UX Client Services B.04.10, the product supports a new extension operation of TLS (Transport Security Socket) protocol called startTLS to secure communication between LDAP clients and the Windows Active Directory Server. An encrypted session can be established on an un-encrypted port, 389. If an encrypted port is used, it will fail to establish the secure connection.
3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Enter "administrator" as the usename and the user's password for Active Directory Server. Select a task, retrieve the CA certificate or certificate revocation list, in the Microsoft Certificate Services screen. Then, click the Next button. Click the "Install this CA certificate" link in the retrieve the CA certificate or certificate revocation list window to allow your LDAP-UX client to trust certificates issued from this Certificate Authority.
6. The Netscape Directory CA certificate will be downloaded to the following two files on your LDAP-UX Client: /.mozilla/default/*.slt/cert8.db /.morilla/default/*.slt/key3.db 7. 8. You can simply copy the /.mozilla/default/*slt/cert8.db file to /etc/opt/ldapux/cert8.db and /.mozilla/default/*slt/key3.db file to /etc/opt/ldapux/key3.db. Set the file access permissions for /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.
/opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t "C,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert NOTE: The -t "C,," represents the minimum trust attributes that may be assigned to the CA certificate for LDAP-UX to successfully use SSL or TLS to connect to the LDAP directory server. If you have other applications that use the CA certificate for other functions, then you may wish to assign additional trust flags. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.
the host name or fully qualified host name and LDAP-UX only has the IP address of the host, it is not possible for LDAP-UX to verify the host name on the certificate. If you want to configure the CNCERT validation level with the peer_cert_policy parameter, you must manually execute the following configuration steps: 1. 2. Update the preferredserverlist setting in the profile to contain the host name of the LDAP server such that it matches the host name specified in the LDAP server’s certificate.
Downloading the Profile Periodically The product setup program, /opt/ldapux/setup, allows you to define a time interval after which the current profiles are being automatically refreshed. The start time for this periodic refresh is defined by the time the setup program was run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific time of day when the profiles should be downloaded (refreshed). NOTE: Starting with the B.03.
3 Active Directory Multiple Domains This chapter contains information specific to multiple domains. If you do not store and group information in multiple domains, you can skip this chapter. The following topics are included in this chapter: • • • • • • • “Domain Term Definitions” (page 57) “Retrieving Data from a Remote Domain” (page 57) “Downloading an Automatic Profile” (page 58) “Understanding the ldapux_client.
a remote domain sequence. When LDAP-UX does not find data in the local domain, all remote domains are searched in the specified order until the data is found. • GCS This method allows you to configure LDAP-UX to search the GCS first. If you are not sure in which domains the data resides, you can configure LDAP-UX to search the GCS first to determine in which domain the requested data resides, then connect to that specific domain controller to retrieve complete POSIX information.
the server. In the B.03.
PROFILE_ENTRY_DN="cn=globalprofile,CN=Configuration,DC=la,DC=ca, DC=com" PROGRAM="/opt/ldapux/config/create_profile_cache -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.gc -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.gc The contents of this file are created as you run the setup tool.
Assume the user account jimmy resides in domainA, domainB, and domainC simultaneously: • • • • If domain A is the local domain, jimmy in domainA will log into HP-UX client. If all three domains are remote domains, and are configured in the sequence: domainB, domainC, domainA, then jimmy in domainB, the first domain in the configuration, will log into HP-UX client.
Removing the GCS from the Search Scope To remove the GCS from the search scope, either run setup to re-configure, or manually edit /etc/opt/ldapux/ldapux_client.conf to remove the gc section, its corresponding profiles (/etc/opt/ldapux/domain_profiles/ldapux_profile.bin.gc and ldapux_profile.ldif.gc), and all entries to the end of the file. Restart the client daemon for the change to take effect.
• The following name service databases are supported in a single domain: — hosts — protocols — networks — rpc — services • Data enumeration is not supported with ADS multiple domains. The getXXent() APIs only enumerate data located in the local domain. Limitations of Multiple Domains in Version B.03.
4 LDAP-UX Client Services with AutoFS Support This chapter contains information describing how LDAP-UX supports automount service, how to set up the automount schema, and how to configure the automount service to use this functionality. This chapter contains the following sections: • • • • Overview Automount Schemas Configuring Automount Caches AutoFS Migration Scripts Overview AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them.
DESC 'Automount' SUP top STRUCTURAL MUST ( automountKey & automountInformation & cn ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName DESC 'automountMapName' EQUALITY caseExactIA5Match SYNTAX 2.5.5.5 SINGLE-VALUE X-ORIGIN 'user defined') attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'AutomountKey' EQUALITY caseExactIA5Match SYNTAX 2.5.5.5 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.
Configuring Name Service Switch Configure the Name Service Switch (NSS) to enable the LDAP support for AutoFS. You can save a copy of /etc/nsswitch.conf file and modify the original to add LDAP support to the automount service. See /etc/nsswitch.ldap for a sample. The following shows the sample file, /etc/nsswitch.
AutoFS Migration Scripts This section describes the migration scripts which can be used to migrate your AutoFS maps from files to LDIF files. After LDIF files are created, you can use the ldapmodify tool to import LDIF files to your LDAP directory server. These migration scripts use the new automount schema defined in RFC 2307-bis to migrate the AutoFS maps to LDIF. You need to import the new automount schema into your LDAP directory server before you use these migration scripts to migrate AutoFS maps.
General Syntax For Migration Scripts The migration scripts use the following general syntax: scriptname inputfile outfile where scriptname inputfile outputfile Is the name of the particular script you are using. Is the fully qualified file name of the appropriate AutoFS map that you want to migrate. For example, /etc/auto_master. This is optional and is the name of the file where the LDIF is written. stdout is the default output. The migrate_automount_ads.
the following command imports the /tmp/auto_direct.ldif file to the LDAP base DN "dc=nishpind" in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=directory manager" \ -w -f /tmp/auto_direct.
You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/auto_indirect.ldif that you just created above into the LDAP directory. For example, the following command imports the /tmp/auto_indirect.ldif file to the LDAP base DN "dc=nisserv1" in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager" \ -w -f /tmp/auto_indirect.
5 LDAP Printer Configurator Support This chapter contains information describing how LDAP-UX supports the printer configurator, and how to configure the printer configurator to control its behaviors. This chapter contains the following sections: • Overview (page 73). • How the LDAP Printer Configurator works (page 74). • Printer Configuration Parameters (page 76). • Printer Schema and Attributes (page 76). • Managing the LP printer configuration (page 78). • Limitations of Printer Configurator (page 79).
How the LDAP Printer Configurator works The Printer Configurator is a service daemon which provides the following functions: • • • • • Periodically searches the existing printer entries stored in LDAP Directory Server Compares the search result with the master printer record file on each scheduled ldapsearch Adds the print configuration to client system for each new printer Deletes the printer from the client system for each removed printer Updates master printer record file When ldapclientd is initialize
Printer Configurator Architecture Figure 5–1 shows printer configurator architecture. As an example, this figure uses the alternate printer attributes, printerbyname and printer-resource. The printerbyname attribute specifies the local printer name. The printer-resource attribute provides the remote host name and remote printer name.
Printer Configuration Parameters The LDAP-UX Client Services provides four printer configuration parameters, start, search_interval, max_printers and lpadmin_option available for you to customize and control the behaviors of the printer configurator. These parameters are defined in the ldapclientd.conf file. See the “ldapcliend.conf Configuration File” section in the Chapter 7 (page 91) for details.
Using the Existing Printer Attributes You can use the existing printer attributes provided by Windows ADS schema to define alternate printer attributes which can be remapped to printer-name and printer-uri respectively. For example, the existing printer attributes, printerbinname and printer-color, are defined and mapped to printer-name and printer-uri respectively as shown in Table 5–2.
Managing the LP printer configuration The LDAP-UX Client Services provide the printer configurator integration; the product daemon automatically updates the remote LP printer configuration of a client system based on the available printer objects in the ADS Directory Server. The printer configurator provides the printer configuration management; it verifies if the printer configuration has any conflict with the LP printer configurations in the client system before it actually adds or deletes a printer.
Example 4: The remote LP printer, laser2, no longer supports LPD printing protocol. IPP printing protocol is implemented instead. The administrator updated the printer object by changing the printing protocol to IPP. The following shows the updated printer objects in the directory server: dn: printer-name=laser2,ou=printers,dc=hp,dc=com printerbyname: laser2 printer-resource: ipp://hostC.hp.
6 Dynamic Group Support This chapter contains information about how LDAP-UX Client Services supports dynamic groups, how to set up dynamic groups, and how to enable or disable dynamic group caches.
1. 2. 3. Use Authorization Manager to create dynamic groups. See the “Step 1: Creating a Dynamic Group (LDAP Query Group)” section for details. Use ADSI Edit to add the POSIX group ID to the dynamic group entry created in step 1. See the “Step 2: Add POSIX Attributes to a Dynamic Group” section for details. Configure the proxy user the read permissions to search dynamic groups in Windows ADS. See the “Step 3: Setting Read Permissions for the Proxy user” section for details.
description: my dynamic group distinguishedName: CN=group1,CN=AzGroupObjectContainer-dyngroup,CN=dyngroup,DC=hp,DC=com instanceType: 4 whenCreated: 20060313181428.0Z whenChanged: 20060313182629.
Step 3: Setting Read Permissions for the Proxy User The LDAP query groups (dynamic groups) created by Authorization Manager are not placed under the CN=Users container. Authorization Manager creates its own authorization store objects (for example, CN=dyngroup). By default, a regular user is not allowed to read LDAP entries under those authorization store objects.
LDAP-UX retrieves group members and processes groups that a specific user belongs to by looking into all configured attributes. An LDAP query group specifies dynamic members using a search filter. LDAP-UX uses the search base and search scope of the passwd service from the profile, and combines the search filter of the passwd service from the profile with the search filter specified by msDS-AzLDAPQuery to retrieve group members.
The attribute mappings are done in step 23 of “Step1: Run the Setup Program” in the “Configuring LDAP-UX Client Services” section. For detailed information on how to remap group attributes, see “Step 1: Run the Setup Program” (page 36) in the “Configuring LDAP-UX Client Services” section.
Number of Group Members Returned With dynamic membership support, as with regular (static) group membership support, the number of group members for a specific group returned by getgrnam()/getgrgid()/getgrent() on an HP-UX system is limited by internal buffer sizes. On HP-UX 11i v1 and v2 systems, the buffer size is 7296 bytes for 32bit applications and 10496 bytes for 64bit applications. This limitation is mainly impacted by the size of each member name.
Performance Impact for Dynamic Groups The dynamic group is specified by a search filter. Depending on how you configure dynamic groups, potentially, there could be a lot of LDAP searches involved. In that case, the performance of those applications calling getgrnam(), getgrgid() or getgrent()(3C) (e.g. the command "id", "groups", etc) will be affected.
Dynamic Group with Active Directory Server Multiple Domains LDAP-UX Client Services supports dynamic groups with the following limitations on ADS multiple domains: • • For dynamic groups configured in the local domain (i.e. the domain whose profile is /etc/opt/ldapux/ldapux_profile.ldif), LDAP-UX will return dynamic members for getgrnam()/getgrgid()/getgrent(), and return dynamic groups that a user belongs to. For dynamic groups configured in remote domains (i.e.
7 Administering LDAP-UX Client Services This chapter describes administrative procedures that will be used to keep clients operating efficiently and when expanding the computing environment.
lpsched commands to add, modify, and remove printers accordingly for the local system. By default, the LDAP printer configurator is enabled. By default, ldapclientd starts at system boot time. The client daemon can be launched manually or controlled while it is running by executing the ldapclientd command. For detailed information on the available parameters and syntax for the ldapclientd command, see the “ ldapcliend.conf Configuration File" section for details.
/opt/ldapux/bin/ldapclientd <-f| -k| -L| -h| -r> Command Options Refer to the ldapclientdman page(s) for option information. Diagnostics By default, errors are logged into syslog if the system log is enabled in the LDAP-UX client startup configuration file /etc/opt/ldapux/ldapux_client.conf. Errors occurring before ldapclientd forks into a daemon process leave an error message directly on the screen. The following diagnostic messages may be issued: Message: Already running.
... Where: comment section ldapclientd ignores any line beginning with a # delimiter. Each section is configured by setting=value information underneath. The section name must be enclosed by brackets ([ ]) as delimiters. Valid section names are: • StartOnBoot • general • passwd • group • netgroup1 • uiddn • domain_pwd • domain_grp • automount1 setting value This will be different for each section. Depending on the setting, this can be yes, no, or number.
update_ldapux_conf_time=<10-2147483647> This determines how often, in seconds, ldapclientd re-reads the /etc/opt/ldapux/ldapux_client.conf client configuration file to download new domain profiles. The default value is 600 (10 minutes). cache_size=<102400-1073741823> The maximum number of bytes that should be cached by ldapclientd for all services except dynamic_group. This value is the maximum, upper limit, of memory that can be used by ldapclientd to cache all services except dynamic_group.
The time, in seconds, before a cache entry expires from the negative cache. If dynamic_group caching is enabled, this value must be less than negcache_ttl of [dynamic_group]. The default value is 240 (4 minutes). [dynamic_group] This section describes the settings for the Dynamic Group cache. This cache manages dynamic group information including name, group ID and membership information. This cache is maintained in a independent memory space not shared with the cache for other maps.
ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. Typically, once added into a directory, the user's DN rarely changes. The default value is 86400 (24 hours). negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 86400 (24 hours).
poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. The default value is 1800 (30 minutes). negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 1800 (30 minutes). [automountMap] Cache settings for the automount map cache. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled.
Example Configuration File The following is a sample ldapclientd.conf configuration file. #!/sbin/sh # @(#) $Revision: 1.1 $ # ldap client daemon configuration.
# LDAP-UX does not support netgroup with Windows 2000 Active # Directory Server. # [netgroup] enable=yes [uiddn] enable=yes [domain_pwd] enable=yes [domain_grp] enable =yes [automount] enable =yes [automountMap] enable=yes Integrating with Trusted Mode This section describes features and limitations, PAM configuration changes and configuration parameter for integrating LDAP-UX with Trusted Mode. Overview Starting with LDAP-UX Client Services B.03.30, the product supports coexistence with Trusted Mode.
• • • • Audit IDs for LDAP-based accounts are unique on each system. Audit IDs are not synchronized across hosts running in the Trusted Mode. When an LDAP-based account name is changed, a new audit ID is generated on each host that the account is newly used on. The initial_ts_auditing flag defined in the /etc/opt/ldapux/ldapux_client.conf file will be reset to the default value. When an account is deleted from LDAP, the audit information for that account is not removed from the local system.
• • • recommended to run the authck -d command when you configure LDAP-UX with Trusted Mode. You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based accounts. The LDAP repository and /etc/passwd repository must not contain accounts with the same login name or account number. Except for the audit flag, you cannot modify other Trusted Mode properties/policies for LDAP-based accounts.
How SASL GSSAPI Works Figure 7-1 SASL GSSAPI Environment KDC Server AS 1 2 TGS 3 4 5 LDAP-UX Client Services 6 Windows 2000/ 2003 Active Direcotory The following describes how LDAP-UX binds a client using SASL GSSAPI to the LDAP directory server shown in Figure 4-1: 1. The LDAP-UX Client Service sends the principal name and password to the Authentication Server (AS). 2.
$ klist -k Keytab name: FILE:/etc/krb5.keytab Principal -------------------------------------------1 ldapux/hpntc10.cup.hp.com@HP.COM 1 host/hpntc10.cup.hp.com@HP.COM Configuing a Principal as The Proxy User The following describes three different ways to configure a principal as the proxy user: • Configure a user principal: Use ldap_proxy_config -i or "-d and -c" to enter a Kerbers user principal and its credential (i.e. password).
default keytab file configured in /etc/krb5.conf, then the keytab file /etc/krb5.keytab will be used, For each service principal, it must have a service key known by every domain controler, which also acts as a KDC. Use the ktpass tool to create the keytab file and set up an identity mapping the host account. The following is an example showing you how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm cup.hp.com: C:> ktpass -princ host/myhost@CUP.HP.
PAM_AUTHZ Login Authorization The Pluggable Authentication Module (PAM) is an industry standard authentication framework that is supplied as an integrated part of the HP-UX system. PAM gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The PAM framework also allows new authentication service modules to be plugged in and made available without modifying the PAM enabled applications.
Figure 7-2 PAM_AUTHZ Environment 1 policy configuration file pam enabled application 2 5 7 3 pam_authz ldap-ux client daemon ldapclientd 4 6 authentication modules, for example: pam_kerberos pam_ldap /etc/group LDAP directory server /etc/netgroup The following describes the policy validation processed by PAM_AUTHZ for the user login authorization shown in figure 7–2: PAM_AUTHZ Environment 1.
PAM_AUTHZ Supports Security Policy Enforcement PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP directory server. This feature works with SSH (Secure Shell), r-commands with rhost enabled where authentication is not performed via PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.
Policy File The system administrator can define a local access policy and store all defined access rules in the policy file, /etc/opt/ldapux/pam_authz.policy. The PAM_AUTHZ service module uses this local policy file to process the access rules and to control the login authorization. LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/pam_authz.policy.template. This sample file shows you how to configure the policy file to work with PAM_AUTHZ.
Policy Validator PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the access rules defined in pam_authz.policy. It validates and determines the user's login authorization based on the user's login name and the information it retrieves from various name services. The result is then returned to the PAM framework. PAM_AUTHZ processes access rules in the order they are defined in the pam_authz.policy.
Constructing an Access Rule in pam_authz.policy In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule consists of three fields as follows: ::
Table 7-1 Field Syntax in an Access Rule (continued)
Rules that have one of these specified as the field are defining a static list access rule. For this rule, the
Static List Access Rule When the value in the field is one of unix_user, unix_group, netgroup, ldap_group, the rule is evaluated using a list of predefined values in the
or groupOfUniqueNamesobjectclass. A list of ldap_group names is specified in the
Dynamic Variable Access Rule PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic variable is defined in
and the value is 1.2.3.200. If Mary attempts to log in to the host with the IP address, 1.2.3.200, then the access rule is evaluated to be true and this user is granted login access.
Security Policy Enforcement with Secure Shell (SSH) or r-commands PAM_AUTHZ has a limited ability to perform account and password security policy enforcement without requiring LDAP-based authentication.
function_name This field defines the function name in the specified that PAM_AUTHZ uses to evaluate certain security policy settings with the login user. The following describes the valid entries for this field: • • check_rhds_policy: If this option is specified, PAM_AUTHZ evaluates all the necessary account and password policies settings, stored in the Netscape/Red Hat Directory Server, for the login user.
Evaluating the Windows Active Directory Server Security Policy The following is an example of the access rule in /etc/opt/ldapux/pam_authz.policy file: status:ads:check_ads_policy If the above access rule is specified in the pam_authz.policy file, the check_ads_policy routine in the libpolicy_ads library is loaded and executed.
Directory Server Security Policies Global Security Attributes In the Windows 2003 Active Directory Server, there are a number of attributes about the security policies. In order to support account and password security policy enforcement, PAM_AUTHZ is enhanced to support the global administrative security attributes listed in table 7–2. They are used to define the policy rules and are all defined under dc=world,dc=hp,dc=com. Only authorized users can access them.
Adding Additional Domain Controllers Your Active Directory contains configuration profiles downloaded by each client system and name service data accessed by each client system. As your environment grows, you may need to add additional domain controllers to your environment. Follow these steps: 1. 2. 3. Use the dcpromo.exe tool to install and configure a new Active Directory domain controller.
5. 6. 7. 8. 9. ADSI Edit appears in the Add/Remove Snap-In dialog box. Click OK. In the Microsoft Management Console, click ADSI Edit and select Connect to... from the Action menu. In the Connection dialog box, check Naming Context, and select Domain NC from the drop-down list at the right. Then click OK.. Domain NC appears on the right pane. Double-click it to expand the list. To change group attributes: a. Click the container of the group for which you want to set POSIX attributes. b.
User and Group Management LDAP-UX Integration B.04.15 supports the new set of non-interactive LDAP command-line tools that allow you to list, add, modify or delete user accounts and groups in an LDAP directory server. These new tools provide capabilities to perform those operations without needing to discover the LDAP server information.
the LDAP-UX administrator credential is used if the user running the tool has sufficient privilege to read the /etc/opt/ldapux/acred file. • ldapuglist You can use the ldapuglist tool to display and enumerate POSIX-like account and group entries that reside in an LDAP directory server.
— — — — — Discover search filter, search base or search scope for a particular name service. Discover the attribute mapping information for a specified name service. Discover the list of available template files for a specific name service when you want to add a new user or group entry to an LDAP directory server. Discover LDAP-UX configuration information about required attributes when creating a new user or group entry.
cn: Michale Sheu uid: msheu uidNumber: 880 gidNumber: 2010 loginShell: /usr/bin/sh homeDirectory: /home/msheu gecos: msheu,Building-8,555-555-5000 dn: cn=Pat Fong,ou=Users,dc=org,dc=example,dc=com cn: Pat Fong uid: pfong uidNumber:750 gidNumber: 2000 loginShell: /usr/bin/sh homeDirectory: /home/pfong gecos: pfong,Building-10,555-552-5000 ... ... The following command displays an account entry which contains uid=tscott: .
The output is as follows: dn: cn=group1,ou=groups,dc=org,dc=example,dc=com cn: group1 gidNumber: 550 memberUid: mphillips memberUid: mlou memberUid: apierce memberUid: bjones dn: cn=group2,ou=groups,dc=org,dc=example,dc=com cn: group2 gidNumber: 580 memberUid: vtam memberUid: ajones memberUid: mphillips Run the following command to list a regular posixGroup entry which contains cn=groupA: .
Adding a User or a Group When adding user or group entries to the LDAP directory server, the ldapugadd tool uses template files to discover the required data models for a new user and group entry. Template files define what object classes and attributes are required to create new user and group entries. LDAP-UX provides the flexibility that allows you to define unique data models for user and group entries.
attempts to add this user as a member of the group number 200. The ldapugadd tool dynamically assigns the uidNumber value from the pre-configured range. cd /opt/ldapux/bin ./ldapugadd -t passwd -PW -f "Mike Tam" -g 200 mtam Run the following command to display the new user entry, mtam: .
Command Arguments applicable to -t passwd The following are the options and arguments used in the previous examples of the ldapugadd -t passwd commands: -t -f -g -I Specifies the type of entry the ldapugadd tool operates. can be passwd or group. The passwd type represents LDAP user entries which contain POSIX account-related information. The group type represents LDAP group entries which contain POSIX group-related information.
Command Arguments Applicable to -t group The following are the command arguments and options used in the previous examples of the ldapugadd -t group commands: -M -g Defines initial group membership by adding the specified user accounts as members. Specifies the group id number for the new group. Required argument. Specifies the POSIX style group name for the new group entry. Modifying Defaults in /etc/opt/ldapux/ldapug.
-g -g : -s -d Specifies the default group ID number used when creating new user entries. Sets new default minimum and maximum ranges that ldapugadd uses when provisioning a GID number for new group entries. Sets new default login shell that ldapugadd uses when creating a new user entry. Sets new default parent home directory that ldapugadd uses when creating a new user home directory.
Command Arguments The following describes arguments/options used in the previous examples for the ldapugmod -t passwd commands: -PW -A -R -u -I Sets the user or group password attribute. If you specify -PW, you must specify either the LDAP-UGCRED environment variable or the -PP option. Specifies an attribute and value to be added to a user or group entry.
dn: cn=GroupC,ou=Groups,dc=org,dc=example,dc=com cn: GroupC gidNumber: 500 MemberUid: alouie Description: A IT Group Description: A Group Entry Run the following command to add an instance of the description attribute and value to the group entry, GroupC, without removing already existing values for that attributes: .
The -O option functions properly with a Windows 2003 R2 ADS, because it uses standard RFC 2307 attributes with exception of the homeDirectory attribute.
Command Arguments The following describes the ldapugdel options and arguments used in the above examples: -t -O -D Specifies the type of entry the ldapugdel tool needs to delete. can be passwd or group. The passwd type represents LDAP user entries which contain POSIX account-related information. The group type represents LDAP group entries which contains POSIX group-related information.
WARNING: CFI_CONFIG_FAILURE: "automount" service not configured for LDAP-UX support Listing Available Templates Use the ldapcfinfo -t -L command to display a list of available templates. The valid value can be passwd or group. Run the following command to display a list of available template files that ldapugadd uses to create a new user entry for the passwd name service: ./ldapcfinfo -t passwd -L Assume that the /etc/opt/ldapux/ug_templates/ug_passwd_std.
Below is the output of the above command for the passwd name service: uidNumber_range=100:20000 default_gidNumber=20 default_homeDirectory=/home default_loginShell=/usr/bin/sh Run the following command to display the LDAP default configuration values in the /etc/opt/ldapux/ldapug.conf file for the group name service: .
The following command displays the recommended list of attributes for the user account entry with the distinguished name (DN), "cn=sfong,ou=people,dc=org,dc=example,dc=com": .
Displaying the Proxy User's Distinguished Name You can display the proxy user's distinguished name (DN) by running /opt/ldapux/config/ldap_proxy_config -p. The following command displays the current proxy user: cd /opt/ldapux/config ./ldap_proxy_config -p PROXY DN: CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com Verifying the Proxy User The proxy user information is stored encrypted in the file /etc/opt/ldapux/pcred and in kernel memory, referred to as SCS (Secure Credential Store).
You can also find out from where in the directory the client downloaded the profile by displaying the file /etc/opt/ldapux/ldapux_client.conf and looking for the line beginning with PROFILE_ENTRY_DN, for example: grep ^PROFILE_ENTRY_DN /etc/opt/ldapux/ldapux_client.conf PROFILE_ENTRY_DN="CN=Profile1, CN=Configuration, DC=cup, DC=hp, DC=com" Creating a New Profile To create a new profile, run /etc/ldapux/config/setup.
ktutil: rkt domainC.keytab ktutil: wkt krb5.keytab ktutil: quit Use klist -k to show the different entries in the keytab file /etc/krb5.keytab should be readable only by the supervisor. Considering Performance Impacts The advantage of an LDAP directory over flat files for naming and authentication services is its design for quick access to information in large databases.
6. Enter set maxpagesize to , where the is the maximum number of search objects that you want the Active Directory to return for a search, and then press the Enter key. 7. Enter set maxqueryduration to
This mapping allows LDAP-UX to support groupOfNames and groupOfUniqueNames for defining membership of an HP-UX group. Although there are many benefits to caching, administrators must be aware of the side-effects of their use. Here are some examples to consider: Table 7-4 ldapclientd Caching Map Name Benefits Example Side-Effect passwd Reduces greatly the number of requests sent to a directory server during a login or other operation such as displaying files owned by that user.
Enabling and Disabling LDAP-UX Logging When a program or service is behaving incorrectly, enabling logging is one way to examine the events that occur to determine where the problem is. Enable LDAP-UX Client Services logging on a particular client as follows: 1. 2. Edit the local startup file /etc/opt/ldapux/ldapux_client.conf and uncomment the lines starting with #log_facility and #log_level by removing the initial # symbol. You can set log_level to LOG_INFO to log only unusual events.
4. 5. 6. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem. Restore the file /etc/syslog.confto its previous state to stop logging. Restart the syslogdaemon with the following command: (Refer to syslogd(1M) for details.) kill -HUP 'cat /var/run/syslog.pid' 7. 8. Remove the debug options from /etc/pam.conf. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed and if any are unexpected. Look for lines containing PAM.
In particular, check the values for the directory server host and port, the default search base DN, and the credential level. Also, if you have remapped any standard attributes to alternate attributes, or defined any custom search descriptors, make sure these are correct and exist in your database. If any of these are incorrect, correct them as described in “Modifying a Profile” (page 142).
loginShell: /bin/ksh msSFUHomeDirectory: /tblv006/home/biljonz msSFUName: biljonz syncNisDomain: cup uidNumber: 467 If you do not get this output, your proxy user may not be configured properly. Make sure you have access permissions set correctly for the proxy user. Refer to “Creating a New Proxy User” (page 141) for details on configuring the proxy user. You can also try binding to the directory as the directory administrator and reading the user's information.
8 Modifying User Information This chapter describes the following tasks users need to perform: • “Changing Passwords” (page 151) • “Changing Personal Information” (page 151) Changing Passwords Users can change their password with the passwd(1) command. Depending on how PAM is configured and depending on where the user's information is located (in the directory or in /etc/passwd), users may be prompted for their password twice as PAM searches in the configured locations for the user's information.
9 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. This chapter contains the following sections: • • “Overview” (page 153). “The Mozilla LDAP C SDK File Components” (page 153) briefly describes many of files that comprise the LDAP C SDK. Overview The LDAP-UX Client Services provides the Mozilla LDAP C SDK 5.17.1 support.
Table 9-1 Mozilla LDAP C SDK File Components on the PA machine (continued) Files Description /usr/include/* Include files from LDAP C SDK /opt/ldapux/contrib/bin/certutil Unsupported command tool that creates and modifies the certificate database files, cert8.db and key3.db. /opt/ldapux/contrib/ldapsdk/examples Unsupported Netscape LDAP C SDK examples. /opt/ldapux/contrib/ldapsdk/source.tar.gz Mozilla LDAP C SDK source (for license compliance).
Table 9-2 Mozilla LDAP C SDK File Components on the IA machine Files Description /usr/lib/hpux32/libldap.so (32-bit ) /usr/lib/hpux64/libldap.so (64-bit ) Main LDAP C SDK API libraries that link to the /opt/ldapux/lib libraries. /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) LDAP C SDK dependency libraries. /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.
Table 9-3 Mozilla LDAP C SDK API Header Files Header Files Description /usr/include/ldap.h Main LDAP functions, structures and defines. /usr/include/ldap-extention.h Support for LDAP v3 extended operations, controls and other server specific features. This file must be included in source code that uses LDAP v3 extended operations or controls. /usr/include/ldap_ssl.h Support for creation of SSL connections. This file must be included in source code that requires SSL connections.
A Configuration Worksheet Use this worksheet to plan your LDAP-UX Client Services configuration. For installation and configuration details, refer to “Installing LDAP-UX Client Services” (page 23) for details. Each of the following should be configured once for each domain, except "Proxy user DN," which only needs to be configured once regardless of the number of domains in the system.
B LDAP-UX Client Services Object Classes This appendix describes the object classes used by LDAP-UX Client Services for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: • PosixDUAProfile • PosixNamingProfile With release B.03.00, the PosixDUAProfile and PosixNamingProfile object classes have been replaced by a single STRUCTURAL object class DUAConfigProfile. In addition, four new attributes are added.
NOTE: The userPassword attribute is mapped to *NULL* to prevent passwords from being returned for increased security and to prevent PAM_UNIX from authenticating users in the LDAP directory. Mapping to *NULL* or any other nonexistent attribute means do not return anything.
serviceSearchDescriptor is one to three custom search descriptors for each service. The format is Service:BaseDN ?Scope?(Filter) where Service is one of the supported services passwd, group, shadow, or PAM. BaseDN is the base DN at which to start searches. Scope is the search scope and can be one of the following: one, base, sub. Filter is an LDAP search filter, typically the object class. Each service can have up to three custom search descriptors.
C Command, Tool, Schema Extension Utility, and Migration Script Reference This appendix describes the commands and tools associated with the LDAP-UX Client Services: • The “LDAP-UX Client Services Components” (page 163) section describes many of the files that comprise this product. • The “Client Management Tools” (page 167) section describes commands to manage your client systems.
Table C-1 LDAP-UX Client Services Components (continued) Component Description /opt/ldapux/config/create_profile_entry Program to create a new configuration profile. /opt/ldapux/config/ldap_proxy_config Program to configure and verify the proxy user. /opt/ldapux/config/create_profile_schema /opt/ldapux/config/create_profile_cache Programs called by the setup program. /opt/ldapux/bin/ldapcfinfo Tool to report LDAP-UX configuration and status.
Table C-1 LDAP-UX Client Services Components (continued) Component Description /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.gc Global Catalog Server (GCS) profile file. Specifies which server (and port) serves as the GCS. /opt/ldapux/migrate/ads A set of scripts for migrating user and group into Active Directory. Refer to “Name Service Migration Scripts” (page 256) for more information. /opt/ldapux/share Man pages. /opt/ldapux/contrib/bin/perl Perl, version 5, used by migration scripts.
Table C-3 LDAP-UX Client Services Libraries on the HP-UX 11i v2 or v3 PA machine Files Description /usr/lib/libldap_send.1 (32-bit ) LDAP -UX Client Services libraries. /usr/lib/libldap_util.1 (32-bit ) /usr/lib/libnss_ldap.1 (32-bit) /usr/lib/libldapci.1 (32-bit ) /usr/lib/libldap.1 (32-bit ) /usr/lib/security/libpam_ldap.1(32-bit ) /usr/lib/security/libpam_authz.1 (32-bit) /usr/lib/pa20_64/libldap.1 (64-bit) /usr/lib/pa20_64/libldap_send.1 (64-bit ) /usr/lib/pa20_64/libnss_ldap.
Client Management Tools This section describes the following programs for managing client systems. Most of these programs are called by the setup program during system configuration. • create_profile_entry— creates a new profile in the directory. • create_profile_cache— creates a new active profile from an LDIF profile. This is also called by the get_profile_entry tool. • create_profile_schema— extends the schema in the directory for profiles. • display_profile_cache— displays the currently active profile.
NOTE: You must copy the file my_profile.bin to/etc/opt/ldapux/ldapux_profile.bin to activate the profile. create_profile_schema This tool, found in /opt/ldapux/config, extends the Active Directory schema with the DUAConfigProfile object class using the information you provide interactively. Typically you run the setup program instead of running this program directly.
Examples • The following command downloads the profile for the NSS specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file /etc/opt/ldapux/ldapux_profile.ldif. bindDN and password need to be provided if no valid proxy user is configured: get_profile_entry -s NSS -D bindDN -w passwd • The following command downloads the profile for the NSS specified in the client configuration file /etc/opt/ldapux/ldapux_client.
With no options, ldap_proxy_config configures the proxy user as specified in the file /etc/opt/ldapux/pcred.
LDAP User and Group Management Tools The LDAP-UX Integration product supports the following new LDAP command-line tools which enable you to manage user accounts and groups in an LDAP directory server. These new tools exist in the /opt/ldapux/bin directory and perform their operations based on the LDAP-UX profile's configuration. Each tool provides command options that enable you to alter these configuration parameters.
NOTE: To support non-interactive use of the ldapuglist, ldapugadd, ldapugmod and ldapugdel commands, you can use the LDAP_BINDDN and LDAP_BINDCRED environment variables to specify an LDAP administrator's identity and password, and use the LDAP_UGCRED environment variable to specify the user's or group's password being created or modified. To prevent exposure of these environment variables, you must unset them after use.
Table C-5 Common Return Codes (continued) GET_PROXY_DECRYPT_FAILED Failed to decrypt proxy and credential information. MOD_LIMIT_REACHED There are too many modifications to perform. SSL_INIT_FAILED SSL initialization failed. LOAD_LIB_FAILED Failed to load the specific library. LOAD_FUNCTION_FAILED Failed to load the specific function. ACCESS_TEMPLATEFILE_FAILED Unable to access specified template file. READ_TEMPLATEFILE_FAILED Unable to read specified template file.
Table C-5 Common Return Codes (continued) 174 ADD_GR_MEMBER_FAILED MemberUid is mapped to only dynamic group attributes, the add operation fails. ENTRY_NOT_FOUND The LDAP search returns no entries. EXPLODE_DN_FAILED Cannot convert the specified distinguished name (DN) to its component parts. EXPLODE_RDN_FAILED Cannot convert the specified RDN to its component parts. MODIFY_FAILED The modification operation failed.
The ldapuglist Tool You can use the ldapuglist tool to display and enumerate POSIX-like account and group entries stored in an LDAP directory server, without requiring extensive knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server.
Another example, if the RFC 2307 attribute uidNumber has been mapped to the employeeNumber attribute. Without the -m option, the output of the uidNumber field is: uidNumber: 520 When the -m option is specified, the output representing the uidNumber field is as follows: uidNumber[employeeNumber]: 520 The ldapuglist tool ignores the -m option if the -L option is specified. -L Displays output following /etc/passwd or /etc/group format.
-t -h -p -n Specifies the type of entry the ldapuglist tool needs to discover and process. The valid types of this option are passwd and group. The passwd type indicates posixAccount-type entries. The group type indicates posixGroup-type entries. Specification of the parameter tells ldapuglist how to handle processing of search filters and attribute mappings. If you do not specify the -t option, ldapuglist assumes the passwd type. For example, - t group.
operation (&). In the case of memberUid, each mapped attribute is used in the search filter using the LDAP or operation (|). In the following example, the gecos attribute has been mapped to cn, l and telephoneNumber.
• • -N base: Search only the entry specified in the -b option. one: Search only the immediate children of the entry specified in the -b option. • sub: Perform a sub-tree search starting at the point identified in the -b option. Specifies the maximum number of entries to be returned. If you do not specify this option, the maximum number of entries to be returned is 200 by default.
When you specify the -t passwd option, ldapuglist displays the following fields for a user entry: • cn • uid • userPassword • uidNumber • gidNumber • homeDirectory • loginShell • gecos When you specify the -t group option, ldapuglist displays the following fields for a group entry: • cn • userPassword • gidNumber • memberUid When you specify the -m option, the output format for both users and groups is changed to the following: dn: dn1 field1[attribute1]: value1 field2[attribute2]: value2 field3[attribute3]
Encoding of the DN ldapuglist displays DN strings according to the encoding rules defined in RFC4514. The escape character “\” precedes special characters, which may be the character itself or a 2 digit hex representation of the character. Passwords In some cases, ldapuglist cannot access the user or group password fields. This can occur in the following cases: • The ldapuglist tool has insufficient privilege to access the password field. • The passwords are not used to authenticate users (such as when X.
Limitations The ldapuglist tool has the following limitations: • The ldapuglist tool does not support enumeration of members of a dynamic group, such as those defined by the dynamic group attributes, memberURL or msDS-AzLDAPQuery. • The ldapuglist tool does not perform conversion of the locale character set to and from the UTF-8 character set. Examples This section provides examples of using ldapuglist.
uidNumber[uidNumber]: 2225 gidNumber[gidNumber]: 252 homeDirectory[unixHomeDirectory]: /home/mlee loginShell[loginShell]: /usr/bin/ksh gecos[cn]: jscott gecos[l]: San Jose gecos[telephoneNumber]: 555-555-9999 If ldapuglist is used to access a Windows 2000/2003 Active Directory Server with the SFU3.0/3.
memberUid: vtam memberUid: ajones memberUid: mlou Run the following command to list a regular posixGroup entry for the group name, groupA: ./ldapuglist -t group -f "(cn=groupA)" The output is as follows: dn: cn=groupA,ou=groups,dc=org,dc=example,dc=com cn: groupA gidNumber: 620 memberUid: user1 memberUid: user3 memberUid: user5 Run the following command to list a group entry that does not have required posixGroup attributes.
The ldapugadd Tool You can use the ldapugadd tool to add new POSIX accounts and groups to an LDAP directory server (as noted by the first and second syntaxes in “Synopsis” (page 186) below). You can use ldapugadd to modify the /etc/opt/ldapux/ldapug.conf file to set defaults for creation of new users or groups (as noted by the third syntax “Synopsis” (page 186) below).
attributes. If the memberUid attribute has been mapped to the member attribute (where the member ID syntax is defined using a distinguished name [DN]), then ldapugadd translates the memberUid account name to a DN before placing the member attribute. If the memberUid attribute has been mapped to more than one attribute type, ldapugadd uses the first attribute defined by the mapping.
-ZZZ -F -S Requires a TLS connection to the LDAP directory server, even if the LDAP-UX configuration profile does not specify the use of TLS. Using the -ZZZ option requires that you define either a valid directory server or CA certificate in the /etc/opt/ldapux/cert8.db file. An error will occur if the TLS connection can not be established. Forces creation of new user or group entries even if the following error conditions occur: • The user name or group name already exists in the directory server.
UG tool configuration file, /etc/opt/ldapux/ldapug.conf. Sets new default minimum and maximum ranges that ldapugadd uses when provisioning an UID number for newly created user entries. The UID range is inclusive of the specified end values. Specifies the default group ID number used when creating new user entries. To avoid ldapugadd from displaying warning messages, you must specify this group ID which represents a POSIX-style group stored in the LDAP directory.
add the user as a member of the specified group using the ldapugmod -t group command. To support numeric group names, ldapugadd always attempts to resolve the specified argument as a group name (even if it is a numeric string). If the specified argument is not found as a group name, ldapugadd checks to see if the argument is a numeric string and if so, uses that as the group ID number. If that numeric group cannot be found in any active name service repository, ldapugadd issues an ERROR message.
• The user’s work telephone number • The user’s home telephone number (often omitted) You must separate each field in the argument by a comma. If the data within the argument contains any white space or other characters that may be parsed by the shell, you must protect the entire string by enclosing quotes. White space cannot be used between the each field and the separating commas. LDAP-UX supports attribute mapping of the gecos attribute to multiple attributes.
full or relative path name or a short name. A short name is defined as the distinguishing portion of the template file name. For example, for the passwd service, if the short name “operator” is specified, the resulting template file is /etc/opt/ldapux/ug_templates/ug_passwd_operator.tmpl. All LDAP-UX default template files are stored in the /etc/opt/ldapux/ug_templates directory. A full or relative path name must begin with a slash (/) or a period (.) character.
Arguments Applicable to -t group The following is a list of valid arguments for -t group: Required argument. Specifies the POSIX textual style group name for the new group entry. is a required argument. It must follow all command line options and must precede the = parameters if provided. This group name must conform to HP-UX group name requirements. For more information, refer to man page group(4) for group name requirements. Optional. Specifies the group ID number.
-T = attribute mappings for the description attribute. If you do not specify this option, the description attribute is not added to the group entry. Optional. Specifies the LDIF template file that is used to create new group entries. If you do not specify the -T option, ldapugadd uses the default template file either /etc/opt/ldapux/ug_templates/ug_passwd_default.tmpl or /etc/opt/ldapux/ug_templates/ug_group_default.
NOTE: You can not modify the ldapug.conf file directly. To change the local host default values defined in the /etc/opt/ldapux/ldapug.conf, you must use the ldapugadd -D command with applicable command options to alter them. See the “Arguments Applicable to -D” (page 187) section for details. Template Files Template files define user and group entries that allow ldapugadd to discover the required data models for new user and group entries.
objectclass: posixAccount sn: ${surname} ${posixProfile} Below is a default template for the group name service: dn: cn=${cn},ou=groups,${basedn} objectclass: groupOfNames objectclass: posixGroup ${posixProfile} Default Template Files for a Windows ADS Below is a default template for the passwd name service: dn:cn=${cn},cn=users,${basedn} objectclass: user ${posixProfile} sAMAccountName: ${uid} msSFU30NisDomain: ${domain} #By default, ldapugadd creates disabled accounts.
LDAP-UX supports several pre-defined substitution constructs, ${}, where represents: Represents all RFC2307-type attributes and values for the particular name posixProfile service (either passwd or group). If LDAP-UX configuration has defined attribute mapping for particular attributes, the mapped attributes are substituted in its place.
• Each template file can be built using custom attributes and values. Customized attribute values are defined using the ${} construct. However, for each non-RFC2307 attribute used, you must specify each of those attributes on the command line with an “=” pair argument when using ldapugadd to create a new entry.
Specific Return Codes for ldapugadd The ldapugadd tool returns a list of return codes shown in Table C-7. Table C-7 Return Codes for ldapugadd Return Code Message ADD_USER_TO_GRP_FAILED Failed to add a user to the group. ADD_SKELDIR_DOESNOT_EXIST Specified Skeleton directory does not exist. ADD_SETENV_FAILED When ldapugadd failed the internal putenv function call with the specified bind environment variable, it returns this error. ADD_INFO_MISSING Information is missing.
Limitations The following are limitations of ldapugadd: • Because LDAP directory servers require data to be stored according to the UTF-8 (RFC3629) character encoding method, all characters passed into ldapugadd are assumed to UTF-8, and part of the ISO-10646 character set. ldapugadd does not perform conversion of the locale character set to and from the UTF-8 character set.
Use the following command to display the new user entry, mscott, with mapped attribute information: .
Use the following command to display the new group entry, groupA: ./ldapuglist -t group -f "(cn=groupA)" The output of the group entry is as follows: dn: cn=groupA,ou=Groups,dc=org,dc=example,dc=com cn: groupA gidNumber: 550 memberUid: mwang The following command sets new default minimum and maximum ranges of UID numbers in the local configuration file, /etc/opt/ldapux/ldapug.conf. The ldapugadd tool randomly selects a new ID from this range if you do not specify an account number. .
The ldapugmod Tool The ldapugmod tool enables HP-UX administrators to modify existing POSIX accounts or groups in an LDAP directory server. When using extended options, you can use ldapugmod to modify arbitrary attributes for user or group entries or you can extend existing user or group entries with the POSIX data model. To use ldapugmod, you must provide LDAP administrator credentials that have sufficient privilege to perform the user or group modification operations in the LDAP directory server.
-ZZ -ZZZ -N Attempts a TLS connection to the directory server, even if the LDAP-UX configuration does not require the use of TLS. If a TLS connection cannot be established, a non-TLS and non-SSL connection will be established. Do not use -ZZ unless alternative methods are used to protect against network eavesdropping. Use of -ZZ requires that you define a valid server or a CA certificate in the /etc/opt/ldapux/cert8.db file.
-p -D -A IPv4 and IPv6 addresses. If you specify a port for an IPv6 address, you must specify the IPv6 address in square-bracketed form. If you do not specify the optional port, the port number defaults to 389 or 636 for SSL connections (-Z ). Specifies the port number of the LDAP directory server to contact. The ldapugadd tool ignores this option if you specify the port number in the parameter as part of the -h option.
-n Specifies the new name of the user or group. This option replaces the uid attribute for user entries or the cn attribute for group entries with the new name, or the mapped attribute if attribute mapping has been specified for that attribute. The argument specifies the new name of the user or group. Using -n is the same as replacing the corresponding attribute.
-d -m -I Replaces the full path name (including the user name) of the user’s home directory. If the argument is an empty string (a pair of double quotes: ""), ldapugmod removes the homeDirectory or mapped attribute. Move the user’s home directory to the location specified with the -d option. -m requires that you also specify the -d option.
server. Instead use the -R option to remove arbitrary attributes. See the “WARNING” section below for impacts when using this option Options Applicable to -t group The following is a list of valid options for -t group: Required. Specifies the POSIX style textual group name for the group entry to modify. You must specify the group name if you do not specify the -D option. This group name must conform to HP-UX group name requirements. Refer to man page group(4) for group name requirements.
Warnings Under common usage, ldapugmod uses the LDAP replace operation when changing values of an attribute in an entry. This feature can impact attributes that have multiple values, by removing all occurrences of an attribute value and replacing it with the one specified on the ldapugmod command line. For example, if the -n argument is used to specify a new name for a posixGroup, all occurances of the cn attribute are replaced by the value specified for the -n argument.
./ldapugmod -t passwd -c "Mackey user entry" mlee This command replaces all instances of description with the single comment, Mackey user entry.
This command adds an instance of the cn attribute, cn=Joesh Scott to the entry. The result of the user entry is as follows: dn: uid=jscott,ou=users,dc=org,dc=example,dc=com cn: John Scott cn: Joe Scott cn: Joesh Scott uid: jscott uidNumber: 2500 gidNumber: 120 homeDirectory: /home/jscott loginShell: /usr/bin/sh gecos: John Scott,San Jose,+1 505-555-5000 Specific Return Codes for ldapugmod The ldapugmod tool returns a list of return codes shown in Table C-8.
Security Considerations Be aware of the following security considerations when you use ldapugmod: • The ldapugmod tool requires an LDAP administrator permissions when it performs operations on the directory server. The rights to modify existing LDAP directory entries under the requested subtree, and to create, modify and remove the required attributes in that entry must be granted to the administrator identity that you specify when executing ldapugmod.
The following command adds the description attribute and value to the user entry, atam: ./ldapugmod -t passwd -A "description=test user entry" atam The following command extends the existing user entry,userid=212,ou=users,dc=org,dc=example,dc=com, with the POSIX attributes and values for homeDirectory, uid and gidNumber. The ldapugmod tool adds the PosixAccount object class to the entry. .
The ldapugdel Tool Use the ldapugdel tool to remove POSIX-related user or group entries from an LDAP directory server. If you use ldapugdel with the -O option, ldapugdel removes the POSIX related attributes and object classes from user or group entries, without removing the entire entry itself. Removing Attributes Only Because mapped attributes are attributes that are often shared with other LDAP-enabled applications, ldapugdel does not support attribute mapping.
-y -Z -ZZ -ZZZ -S option when removing posixAccount or posixGroup related attributes. If removal of the uid, cn, or description causes an object class violation, ldapugdel generates a warning message. With the -x option, LDAP-UX tries to remove as many attributes as allowed by the directory server. Uses this option only with the -O and -t passwd options. This option forces ldapugdel to remove the userPassword attribute from the user entry.
-O [[,...]] Specifies the name of the user entry that you want to delete. ldapugdel uses the configured LDAP search filter to discover the entry to be removed, such as (&(objectclass=posixAccount)(uid=name)). If more than one entry matches this search filter, only the first discovered entry is removed. You can specify only one of -D, or parameter on the command line. Specifies the name of the group entry that you want to delete.
NOTE: Keep the following considerations in mind when using the -O option: • The ldapugdel tool does not support attribute mappings. For example, if the uidNumber attribute has been mapped to the employeeNumber attribute, ldapugdel will attempt to remove uidNumber attribute and not employeeNumber.
Table C-9 Return Codes for ldapugdel (continued) DEL_MULTIPLE_ENTRY_FOUND Multiple entries found that match the same name. Please use a DN to specify a specific entry. DEL_DELETE_FAILED The LDAP deletion operation failed. DEL_SEARCH_FAILED The LDAP search for subSchemaSubEntry, attributeTypes or objectClasses failed. DEL_PARSE_ERROR Unable to analyze LDAP directory server’s schema. This operation is required in order to determine which attributes may be legally removed.
./ldapugdel -t passwd msmart Run the following command to delete the entire group entry with the Distinguished Name, “cn=group1,ou=groups,dc=org,dc=example,dc=com": ./ldapugdel -t group -D "cn=group1,ou=groups,dc=org,dc=example,dc=com" In this example, ldapugdel is used to access a Windows 2003 R2 Active Directory Server with R2's RFC 2307 schema installed.
The ldapcfinfo Tool Use the ldapcfinfo tool to discover LDAP-UX configuration information about the LDAP-UX product. The ldapcfinfo tool can also be used to discover the list of required attributes when creating new users or groups to an LDAP directory server. Non-interactive LDAP applications can use this tool to find LDAP-UX configuration details when adding new users or groups. The ldapcfinfo tool can also report if LDAP-UX is properly configured and active for the specified service.
-T separate lines, one per line. Because the RFC 2307 POSIX attributes are a static known list and are required, only non-POSIX attributes are displayed. Specifies the LDIF template file to be used to create new user or group entries. The parameter can be either a full or relative path name or a short name. A short name is defined as the distinguishing portion of the template file name.
-f -m [,..] -a -h for the passwd service. Output value for the -s option can be base, one or sub, which represents the search scopes as defined in RFC 4516, Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator. Displays the primary (first) configured search filter for the particular service defined with the -t option. If you do not specify the -t option, the passwd service is the default.
Table C-10 Return Codes for ldapcfinfo (continued) CFI_PARSE_CONFIG_FAILED Unable to parse following configuration line in NSS subsection of the configuration file. CFI_SEARCH_SERVICEID_FAILED Unable to find service id for the specified service. CFI_UNKNOWN_ATTR Unknown attribute for the specified service. CFI_VERIFY_PROXYCRED_FAILED Unable to verify LDAP-UX proxy credential. CFI_BIND_FAILED Unable to bind to directory server specified in the LDAP-UX configuration profile.
In this example, ldapcfinfo is used to access a Windows 2003 R2 Active Directory Server with the R2's RFC 2307 schema installed. Assume that the homeDirectory attribute has been mapped to unixHomeDirectory. The following command displays the attribute mapping for the homeDirectory attribute. ./ldapcfinfo -t passwd -m homeDirectory The output of the command is as follows: homeDirectory=unixHomeDirectory If ldapcfinfo is used to access a Windows 2000/2003 ADS with the SFU 3.0/3.
/etc/opt/ldapux/ug_templates/ug_passwd_ads.tmpl /etc/opt/ldapux/ug_templates/ug_passwd_std.tmpl /etc/opt/ldapux/ug_templates/ug_passwd_default.tmpl The following command displays the list of available template files for the group name service: ./ldapcfinfo -t group -L Assume that /etc/opt/ldapux/ug_templates/ug_group_std.tmpl, /etc/opt/ldapux/ug_templates/ug_group_default.tmpl /etc/opt/ldapux/ug_templates/ug_group_ads.
LDAP Directory Tools This section briefly describes the ldappasswd, ldapsearch, ldapmodify and ldapdelete. For detailed information about ldapsearch, ldapmodify, and ldapdelete, refer to the Microsoft Windows Active Directory Server Administrator's Guide available at http://docs.hp.com/ en/internet.html ldappasswd This section describes the ldappasswd command and its parameters.
ldapsearch You use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. For detailed information, refer to the Microsoft Windows Active Directory Server Administrator' s Guide available at the following web site: http://docs.hp.com/en/internet.
contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do. For detailed information, refer to the Red HatDirectory Server for HP-UX Administrator's Guide available at the following web site: http://docs.hp.com/en/internet.html Syntax ldapmodify [optional_options] where optional_options Specifies a series of command-line options. ldapmodify Options The section lists the most commonly used.ldapmodify options.
-P -dn -w 228 Specifies the TCP port number that the Directory Server uses. The default is 389. Specifies the DN of the entry to be deleted. Specifies the password associated with the distinguished name that is specified in the -D option.
Schema Extension Utility Overview A directory schema is a collection of attribute type definitions, object class definitions and other information supported by a directory server. Schema controls the type of data that can be stored in a directory server. Although there are some recommended schemas that came originally from the X.500 standards, mostly for representing individuals and organizations, there is no universal schema standard in place for every possible application.
Operations Performed by the Schema Extension Utility The schema extension utility, ldapschema, supports the following two modes of operation: 1. Query Schema Status Based on the set of attribute types and object classes defined in the input schema definition file, this tool queries their status on the directory server schema without applying any changes to the LDAP directory server.
information on how to create an XML file containing supported matching rules and syntaxes for your directory server. • Mapping Rules For Unsupported Matching Rules and Syntaxes File If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them using alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ldapux/schema/map-rules.
ldapschema — The Schema Extension Tool The ldapschema utility allows schema developers to define LDAP schemas using a universal XML syntax, greatly simplifying the ability to support different directory server variations. It can be used to query the current status of the LDAP schema on the LDAP directory server, as well as extend the LDAP directory server schema with new attribute types and object classes.
Table C-12 Reserved LDAPv3 Directory Servers (continued) -V ds_version MAC OS X Directory Server mac Sun One Directory Server sun Computer Associates Directory Server ca iPlanet Directory Server iPlanet The version of the LDAP directory server. The strcasecmp() function compares the version specified by this –V option and the version defined in the XML files the ldapschema utility processes. The version specified by the –V option and the version defined in the XML files must be consistent.
-j -w-Z -ZZ -ZZZ -P path -3 -s- -m- -f -F -v 234 Specifies an administrator’s password in the file (for simple authentication). Inputs an administrator’s password from the prompt (for simple authentication). Establishes an SSL-encrypted connection. Specifies TLS request. Enforces TLS request (requires successful server response). Specifies path to SSL certificate database. (Default: /etc/opt/ldapux) Verifies the host name in SSL certificates.
Environment Variables The ldapschema utility supports the following environment variables: The Distinguished Name (DN) of an administrator who has permissions to LDAP_BINDDN read and modify LDAP directory server schema. The password for the privileged LDAP directory user. LDAP_BINCRED LDAP_HOST The host name of the LDAP directory server. The LDAP_HOST variable uses the “hostname:port” format. If the port is not specified, default port number is 389 for regular connections, or 636 for SSL connections.
Schema Definition File The ldapschema utility queries and extends LDAP directory server based on the XML schema definition file. When using the ldapschema tool, the schema argument used with the -q or -e option must correspond to the XML file containing the appropriate schema definition. Several predefined files (such as rfc3712.xml, rfc2256.xml, etc...) are stored in the /etc/opt/ldapux/schema directory. But the schema definition file can be stored in any directory with any file name.
A Sample RFC3712.xml File A sample rfc3712.xml file below defines two attribute types, printer-name and printer-aliases, followed by one object class, printerLPR, as specified in RFC3712: Line Line Line LINE Line Line Line Line Line Line LINe Line Line Line Line Line Line LIne Line Line Line LINe Line Line Line Line Line Line Line Line inee LINe Line Line Line Line Line Line Line Line 1: 2:
Defining Attribute Types Each attribute type definition, enclosed by tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one attribute type name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
Optional, use to specify any directory-specific information about the attribute type. See “Defining Directory Specific Information” (page 242) section for details. Attribute Type Definition Requirements To add the new schema to the LDAP directory server, each attribute type definition must meet the following requirements: • The attribute type has a tag with one numeric id value which adheres to RFC 2252 format specification.
Defining Object Classes Each object class definition, enclosed by the tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one object class name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
Object Class Definition Requirements To add the new schema to the LDAP directory server, each object class definition must meet the following requirements: • The object class definition contains a tag with one numeric id value which adheres to RFC 2252 format specification. • The object class definition has at least one tag with the object class name. Each name must adhere to RFC 2252 format specification.
Defining Directory Specific Information Attribute type and object class definitions can be extended with directory-specific information using the tag. This is useful to maintain a single schema definition file for different types and versions of LDAP directory servers.
An Example of Defining Directory Specific Information in the Object Class Definition Directory specific information can be specified in the object class definitions as well as in optional and mandatory attributes. The following is an example of the object class definition with directory specific information using the tag and XML attributes, not and only: Line Line Line Line Line Line Line Line Line Line 1: 2: 1.23.456.7.89101112.1.314.1.51.
LDAP Directory Server Definition File In order to properly install new attribute types in an LDAP directory server schema, the ldapschema utility needs to determine whether the LDAP server supports the matching rules and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs an LDAP search for supported matching rules and syntaxes on the LDAP server. However, some types of directory servers do not provide this information as part of the search.
Lines 1-2 are required in every LDAP directory server definition file. LDAP syntax and matching rule definitions closely follow the format specified in RFC 2252. Values specified for all XML tags must not be quoted. Only the description field (enclosed by ... tages) can contain spaces. NOTE: Only LDAP syntaxes and matching rules fully supported by the LDAP directory server can be specified in this file.
Mapping Unsupported Matching Rules and LDAP Syntaxes If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them to alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ldapux/schema/map-rules.xml file which defines a list of default substitution matching rules and syntaxes, and alternate matching rules and syntaxes.
22 1.3.6.1.4.1.1466.115.121.1.15 Directory String syntax. How Does ldapschema Map Unsupported Matching Rules and LDAP Syntaxes If any mapping rules or the syntax used by an attribute type are not supported on the LDAP server, the ldapschema utility checks if the appropriate substitution rule is specified in the /etc/opt/ldapux/map-rules.xml file.
Return Values From ldapschema The ldapschema tool returns the following values: The operation is successful. 0 –1 The operation fails. In addition, ldapschema prints to STDOUT the overall status of the schema being queried or extended. Based on the schema status, any combination of the following messages is displayed. Detailed explanations of each message are specified in the square brackets following the message body text.
SCHEMA_EXISTS No changes to the LDAP server schema are needed. All attribute types and object classes defined in the file are already part of the LDAP directory server schema. [The SCHEMA_EXISTS message indicates the schema specified in the file is already installed on the LDAP directory server. All attribute types and object classes defined in the file are already part of the schema on the LDAP directory server.
Check the messages containing ATTRIB_MISMATCH and OBJECT_MISMATCH described below for the exact instances of attribute types and object classes, respectively, causing the schema mismatch. The mismatch is caused by any differences in element definitions, such as equality matching rule, single-valued setting, attribute syntax, object class type, attribute types an object class includes, etc.
file. The value must be compliant with RFC 2252. See RFC 2252 for details. ATTRIB_INVALID Attribute type “” has an invalid name. Edit the schema definition file to specify an RFC 2252 compliant value for this attribute type. Valid name characters include letters (A-z), digits (0-9), semicolons (;) and dashes (-). Valid name must begin with an alphabet letter (A-z). See RFC 2252 for details.
- disables matching rule substitution in attribute types. Edit the file to specify an alternate matching rule supported on the LDAP server, or execute the ldapschema utility without the -m option to substitute this matching rule with an alternative matching rule supported on the LDAP server.] ATTRIB_UNRESOLVED ATTRIB_UNRESOLVED ATTRIB_UNRESOLVED LDAP syntax "” used in “” attribute type definition cannot be mapped. This LDAP syntax is not supported on the LDAP server.
Object Class Status Messages OBJECT_INVALID Object class definition is missing a numeric oid. Edit the schema definition file to specify one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the file.] OBJECT_INVALID Object Class definition is missing a name.
OBJECT_FOUND Object class “
successfully mapped with a higher level (less specific) matching rule supported by that server, , as specified in the /etc/opt/ldapux/schema/map-rules.xml file. The attribute types which uses this matching rule with the , , tags will use be queried or extended on the LDAP directory server using ]. LDAP Syntax Status Messages SYNTAX_INVALID LDAP syntax is missing a numeric oid.
Name Service Migration Scripts This section describes the shell and Perl scripts that can migrate your name service data either from source files or NIS maps to your Active Directory. These scripts are found in /opt/ldapux/migrate/ads. The two shell scripts migrate_all_online.ads.sh and migrate_all_nis_online.ads.sh migrate all your source files or NIS maps, while the Perl scripts migrate_passwd_ads.pl, migrate_hosts_ads.pl, migrate_networks_ads.pl, migrate_protocols_ads.pl, migrate_rpc_ads.
Directory for Kerberos authentication. Therefore, to allow users to log on to a UNIX system, the Active Directory administrator needs to enable the user account first and set the initial password. CAUTION: The password migration tool migrates all user accounts from the specified source files or NIS server. For security reasons, the root user and any objects with uid=0 should either be removed from the resulting LDIF file before migrating to Active Directory, or be removed from the Active Directory.
1 Systems have been configured with the same hostname, then the migration script migrate_host.pl, will create multiple entries in its resulting LDIF file with the same DN for the hostname for each of the IP addresses. Since DNs need to be unique in an LDAP directory, users should first manually merge the IP addresses with one designated host record and delete the duplicated records in their LDIF file. A resulting merge might look as follows: . . . .
uidNumber: 101 gidNumber: 20 msSFUHomeDirectory: /home/jbloggs gecos: Joe Bloggs,Cupertino,888-9999, sAMAccountName: jbloggs The following commands convert /etc/group into LDIF and place the result in /tmp/group.ldif: $ export LDAP_BASEDN="DC=example,DC=hp,DC=com" $ migrate_group.pl /etc/group /tmp/group.ldif $ cat /tmp/group.
Unsupported Contributed Tools and Scripts This section describes contributed tools and scripts which are not officially supported by HP at the present time. beq Search Tool The new beq tool expands the search capability beyond that currently offered by nsquery, which is limited to hosts, passwd, and group. This search utility bypasses the name service switch and queries the backend directly based on the specified library.
pw_passwd.........(*) pw_uid............(101) pw_gid............(21) pw_age............() pw_comment........() pw_gecos..........(gecos data in files) pw_dir............(/home/iuser1) pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) Use the following beq command if you run on the 64 bit of an HP-UX 11i v2 or v3 IA machine: ./beq -k n -s pwd -l /usr/lib/hpux64/libnss_ldap.so.1 iuser1 Use the following beq command if you run on the 32 bit of an HP-UX 11i v2 or v3 IA machine: .
./beq -k d -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 102 • An example beq command using group name igrp1 as the search key, grp (group) as the service, and ldap as the library on the 32 bit of an HP-UX 11i v1, v2 or v3 PA machine is shown below: ./beq -k n -s grp -l /usr/lib/libnss_ldap.1 igrp1 nss_status.............. NSS_SUCCESS gr_name...........(igrp1) gr_passwd.........(*) gr_gid............(21) pw_age............
Examples The following command displays the user's DN information for a given user's UID john: ./uid2dn john The output shows below after you run the above command: CN=john lee,CN=Users,DC=usa,DC=example,DC=hp,DC=com get_attr_map.pl — Get Attribute Map from Profile Tool This tool, found in /opt/ldapux/contrib/bin, gets the attribute map information for a given name service from the profile file /etc/opt/ldapux/ldapux_profile.ldif. Syntax get_attr_map.
D Sample PAM Configuration File This appendix provides a sample PAM configuration file. This pam.conf file is intended as an example only. Refer to pam.conf(4) for more details. The following is a sample PAM configuration file used on the HP-UX 11.0 or 11i v1 system: ## PAM configuration # # This pam.conf file is intended as an example only. # see pam.
login login dtlogin dtlogin dtaction dtaction OTHER # # Password # login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER session session session session session session session sufficient required sufficient required sufficient required required /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.
dtaction auth required libpam_hpsec.so.1 dtaction auth sufficient libpam_krb5.so.1 dtaction auth required libpam_unix.so.1 try_first_pass ftp auth required libpam_hpsec.so.1 ftp auth sufficient libpam_krb5.so.1 ftp auth required libpam_unix.so.1 try_first_pass OTHER auth required libpam_unix.so.1 # # Account management # login account required libpam_hpsec.so.1 login account sufficient libpam_krb5.so.1 login account required libpam_unix.so.1 su account required libpam_hpsec.so.
E Sample /etc/krb5.conf File This appendix provides a sample krkb5.conf file, which supports two domains. [libdefaults] default_realm = CA.HP.COM default_tgs_enctypes = DES-CBC-CRC default_tkt_enctypes = DES-CBC-CRC ldapux_multidomain = 1 ccache_type = 2[realms] CA.HP.COM = { kdc = HPSVRC.CA.HP.COM:88 kpasswd_server = HPSVRC.CA.HP.COM:464 } NY.HP.COM = { kdc = HPSVRD.NY.HP.COM:88 kpasswd_server = HPSVRD.NY.HP.COM:464 } [domain_realm] .ca.hp.com = CA.HP.COM .ny.hp.com = NY.HP.
F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode This Appendix provides a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v1 system to support the coexistence of LDAP-UX and Trusted Mode. If your directory server is the Microsoft Windows 2000 Active Directory Server and your LDAP client is in the Trusted Mode, the /etc/pam.conf file must be configured as shown in the following example file. Use the following steps to create the /etc/pam.
dtlogin account required dtaction account sufficient dtaction account required ftp account sufficient ftp account required OTHER account required # # Session management # login session required login session required dtlogin session required dtlogin session required dtaction session required dtaction session required OTHER session required # # Password management # login password sufficient login password required passwd password sufficient passwd password required dtlogin password sufficient dtlogin passwo
G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode This Appendix provides a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v2 system to support the coexistence of LDAP-UX and Trusted Mode. If your directory server is the Microsoft Windows 2000 or 2003 Active Directory Server and your LDAP client is in the Trusted Mode, the /etc/pam.conf file must be configured as shown in the following example file. Use the following steps to create the /etc/pam.
dtaction auth required ftp auth required ftp auth sufficient ftp auth required OTHER auth required # # Account management # login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account sufficient ftp account required OTHER account required # # Sessio
H Sample PAM Configuration File for Security Policy Enforcement This Appendix provides the sample PAM configuration file, /etc/pam.conf file to support account and password policy enforcement for Secure Shell (SSH) key-pair and r-commands. In the /etc/pam.conf file, the pam_authz library must be configured for the sshd and rcomds services under account management role. The following is a sample PAM configuration file used on the HP-UX 11i v1 system: ## PAM configuration # # This pam.
rcomds account required rcomds account sufficient rcomds account required sshd account required sshd account sufficient sshd account required OTHER account required # # Session management # login session sufficient login session required dtlogin session sufficient dtlogin session required dtaction session sufficient dtaction session required OTHER session required # # Password management # login password sufficient login password required passwd password sufficient passwd password required dtlogin password
# login auth required login auth sufficient login auth required su auth required su auth sufficient su auth required dtlogin auth required dtlogin auth sufficient dtlogin auth required dtaction auth required dtaction auth sufficient dtaction auth required rcomds auth required rcomds auth sufficient rcomds auth required sshd auth required sshd auth sufficient sshd auth required ftp auth required ftp auth sufficient ftp auth required OTHER auth required # # Account management # login account required login ac
# Password # login login login passwd passwd passwd dtlogin dtlogin dtlogin dtaction dtaction dtaction OTHER 278 management password password password password password password password password password password password password password required sufficient required required sufficient required required sufficient required required sufficient required required libpam_hpsec.so.1 libpam_krb5.so.1 libpam_unix.so.1 libpam_hpsec.so.1 libpam_krb5.so.1 libpam_unix.so.1 libpam_hpsec.so.1 libpam_krb5.so.
Glossary Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction. ACL See See Access Control List.. Configuration profile An entry in an LDAP directory containing information common to many clients, that allows clients to access user, group and other information in the directory. Clients download the profile from the directory. See also See also Client Configuration File..
Remote Domains All domains in the forest, other than the local domain, are referred to as remote domains. When you choose multiple domain support during setup, you will be guided to configure profiles for remote domains. When LDAP-UX cannot find data from the local domain, remote domains will be searched. RFC Request for Comments; a document and process of standardization from the IETF. RFC 2307 The IETF specification for using LDAP as a Network Information Service. See http://www.ietf.org/rfc/rfc2307.
Index Symbols /etc/group, 25 /etc/krb5.conf, 269 /etc/krb5.keytab, 142 /etc/nsswitch.conf, 24, 28, 48 /etc/nsswitch.ldap, 28, 163 /etc/pam.
get_profile_entry tool, 168 Global Catalog Server.
change, 151, 225 password, change, 151, 225 performance, 92, 143 Perl, 165, 256, 258 PERL migration scripts, 258 planning your environment, 24 port directory, 38 POSIX adding attributes, 62 posix schema RFC 2307, 280 posixDUAProfile object class, 159, 271, 273 posixNamingProfile object class, 159, 271, 273 preferredServerList, 160 product components, 153, 154, 155, 166 profile, 26 changing, 142 configuration, 37, 279 creating, 142 displaying, 141 download, 55 downloading, 58 modifying, 142 profile configura
W who, 21 whoami, 21 worksheet, 157 284 Index
