LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
PAM_AUTHZ Login Authorization
The Pluggable Authentication Module (PAM) is an industry standard authentication framework
that is supplied as an integrated part of the HP-UX system. PAM gives system administrators
the flexibility of choosing any authentication service available on the system to perform
authentication. The PAM framework also allows new authentication service modules to be
plugged in and made available without modifying the PAM enabled applications.
The PAM framework, together with the PAM_AUTHZ service module supplied with LDAP-UX
Client Services, provide support for Account Management services. These services allow the
administrator to control who can login to the system based on netgroup information found in
the /etc/passwd and /etc/netgroup files. PAM and PAM_AUTHZ can also be configured
to utilize LDAP-UX Client Services to retrieve the information from a LDAP directory server to
perform access of authorization.
Starting LDAP-UX Client Services B.04.00, PAM_AUTHZ has been enhanced to provide
administrators a simple security configuration file to set up a local access policy to better meet
their need in the organization. PAM_AUTHZ uses the access policy to determine which users
are allowed to login to the system. A policy specifies which groups, ldap groups, users or other
access control objects (such as objects defined by ldap search filters) are allowed to login to the
system. This flexibility enables you to allow or deny access to a host or application based on a
user's membership in a group, or role within a organization. For example, PAM and PAM_AUTHZ
can define an access rule that utilizes a LDAP directory server to state that if 'userA' works for
manager 'Sam' then the criteria is met. When the rule is evaluated, a request would be sent to
the LDAP directory and if the attributes were found, the user could be granted or denied access.
Policy And Access Rules
Access rules are the basic elements of access control. Administrators create access rules that
restrict or permit a user's access permission. A policy is the collection of these different sets of
access rules in a given order. This consolidated list of rules defines the overall access strategy of
a local client machine. PAM_AUTHZ enables administrators to create an access policy by defining
different types of access rules and to save the policy in a file.
How Login Authorization Works
The system administrator can define the access rules and store them in the policy file,
/etc/opt/ldapux/pam_authz.policy. PAM_AUTHZ uses these access rules defined in
the policy file to control the login authorization.
106 Administering LDAP-UX Client Services