LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

Table Of Contents

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
Table of Contents
Preface
- About This Document
1 Introduction
- Overview of LDAP-UX Client Services
- How LDAP-UX Client Services Works
2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
3 Active Directory Multiple Domains
- Domain Term Definitions
- Retrieving Data from a Remote Domain
  - Choosing Remote Domain Configuration or GCS
- Downloading an Automatic Profile
- Understanding the ldapux_client.conf Configuration File
- Resolving Duplicate Entries
- Changing Multiple Domain Configurations
- Limitations of Multiple Domains in Version B.03.00 or later
4 LDAP-UX Client Services with AutoFS Support
- Overview
- Automount Schemas
- Configuring Name Service Switch
- Configuring Automount Caches
- AutoFS Migration Scripts
5 LDAP Printer Configurator Support
- Overview
  - Definitions
- How the LDAP Printer Configurator works
  - Printer Configurator Architecture
- Printer Configuration Parameters
- Printer Schema and Attributes
  - Printer Attributes
    - Default Printer Attributes
    - Printer Attribute Mappings
- Managing the LP printer configuration
- Limitations of Printer Configurator
6 Dynamic Group Support
- Overview
- Specifying a Search Filter for a Dynamic Group
  - Creating an HP-UX POSIX Dynamic Group
- Multiple Group Attribute Mappings
  - Examples
  - Group Attribute Mappings
- Number of Group Members Returned
- Number of Groups Returned for a Specific User
- Performance Impact for Dynamic Groups
  - Enabling/Disabling enable_dynamic_getgroupsbymember
- Configuring Dynamic Group Caches
- Dynamic Group with Active Directory Server Multiple Domains
7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
  - Example
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
  - ldapclientd Caching
  - ldapclientd Persistent Connections
- Troubleshooting
8 Modifying User Information
- Changing Passwords
- Changing Personal Information
9 Mozilla LDAP C SDK
- Overview
- The Mozilla LDAP C SDK File Components
A Configuration Worksheet
B LDAP-UX Client Services Object Classes
- Profile Attributes
C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
D Sample PAM Configuration File
E Sample /etc/krb5.conf File
F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
H Sample PAM Configuration File for Security Policy Enforcement
Glossary
Index

default keytab file configured in /etc/krb5.conf, then the keytab file /etc/krb5.keytab

will be used,

For each service principal, it must have a service key known by every domain controler, which

also acts as a KDC.

Use the ktpass tool to create the keytab file and set up an identity mapping the host account.

The following is an example showing you how to run ktpass to create the keytab file for the

HP-UX host myhost with the KDC realm cup.hp.com:

C:> ktpass -princ host/myhost@CUP.HP.COM -mapuser myhost -pass mypasswd

-out unix.keytab

SASL/GSSAPI Profile Download Support

LDAP-UXClient Services B.04.00 does not support downloading of the LDAP-UX profile

automatically, when used with SASL/GSSAPI authentication, and that authentication uses a host

or service principal, where that principal's key is stored in a Kerberos keytab file.This limitation

impacts the ability of the LDAP-UX product to support the "profile time to live" feature, which

automatically will re-download a profile after it's profileTTL time period has expired.

You can download profiles manually using the get_profile_entry command, as long as you

provide a principal and password on the command line.The following command shows an

example of how to download the profile manually. If your profile changes frequently, you may

wish to place this in a script that is called periodically by cron.

/opt/ldapux/config/get_profile_entry -s NSS -D \

"<administrator@my.domain.org>" -w "<adminpassword>"

Changing Authentication methods

If you wish to switch from your current authentication method, such as SIMPLE to SASL/GSSAPI,

TLS:SIMPLE or TLS:SASL/GSSAPI, you must restart the ldapclientd daemon after making

the configuration changes. This step is required to assure that the proper GSSAPI, Kereros and/or

SSL initialization is completed.

SASL GSSAPI Support 105