LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
PAM_AUTHZ Supports Security Policy Enforcement
PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP
directory server. This feature works with SSH (Secure Shell), r-commands with rhost enabled
where authentication is not performed via PAM (Pluggable Authentication Module) subsystem,
but is performed by the command itself.
See the “Security Policy Enforcement with Secure Shell (SSH) or r-commands” (page 118) section
for more information on how to configure access rules in the
/etc/opt/ldapux/pam_authz.policy file, set global policy access permissions and configure
the pam.conf file for security policy enforcement when using SSH key-pairs or r-commands.
Authentication using LDAP
The PAM framework is pluggable, the backend support for PAM's Authentiaction, Account
Management, Session Management and Password Management services can be directed
to an LDAP directory server. The LDAP-UX Client Services are plugged into the PAM framework
by specifying the pam_ldap library, libpam_ldap, in the /etc/pam.conf configuration file.
When the pam_ldap functions are invoked, the UNIX identity is translated into the distinguished
name of an entry in the directory server that represents that user. To perform authentication,
pam_ldap attempts to bind to the directory server as that identity. If the ldap_bind operation
succeeds, then pam_ldap will return success to the PAM authentication subsystem.
When pam_ldap performs the ldap_bind operation, the LDAP server performs authentication
of the user as well as determines if the LDAP account and password policy has passed. If the
account is locked, the ldap_bind will fail. If the user's password has expired, the ldap_bind
operation will return an error. An ldap_bind operation performs both authentication and
account management operations.
Authentication with Secure Shell (SSH) and r-commands
For LDAP-UX B.04.00 or earlier versions, a user defined in an LDAP directory who tries to log
on to a UNIX system using SSH key-pairs or the rhost enabled r-command will always be able
to login even if this user’s account has been locked or password has expired. These applications
and commands do not need to call the PAM (Pluggable Authentication Module) authentication
functions, but perform their own authentication instead. When this occurs, the ldap_bind operation
is never performed. Thus, the LDAP directory server is never given the opportunity to perform
security policy enforcement.
LDAP-UX Client Services B.04.10 provides PAM_AUTHZ features to support enforcement of
account and password policies, stored in an LDAP directory server, for applications/commands
(such as SSH or r-command) where authentication is not performed via PAM subsystem, but is
performed by the command itself.
108 Administering LDAP-UX Client Services