LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Dynamic Variable Access Rule
PAM_AUTHZ supports dynamic variables in the ldap_filter type of the access rule. A dynamic
variable is defined in <object> (LDAP search filter) field, it can consist of one or more
(attribute=$[variable_name]) pairs. The syntax of an access rule with the dynamic variable is:
<action>:ldap_filter:(attribute=$[variable_name])
For example, if an administrator has an attribute named hostControl defined in the directory,
and wants to use this attribute to define which host a user can log on to. He may add the following
access rule in the /etc/opt/ldapux/pam_authz.policy file:
allow:ldap_filter:(hostControl= hostA)
Where hostA is the value for the local host that the user must be granted access. If a user, John,
has a hostControl attribute in his user entry in the LDAP directory and the value is hostA,
then the access rule is evaluated to be true and this user is allowed to log in to the host, hostA.
In the above example, a dynamic variable HOSTNAME can be used. The previous access rule can
be re-defined as follows:
allow: ldap_filter: (hostControl=$[HOSTNAME])
where $[HOSTNAME] represents a dynamic variable function which will be called to retrieve
the local host name information. PAM_AUTHZ will then substitute its return value to the search
filter.
Supported Functions for Dynamic Variables
In LDAP-UX Client Services B.04.10, PAM_AUTHZ provides the following default dynamic
variable functions in the libpolicy_commonauthz library. These functions can be used as
dynamic variables specified in the ldap_filter type of access rules::
HOSTNAME Returns the fully qualified host name of the local system from which the
user attempts to log on. For example, hostA.hp.com.
HOSTIP Returns the IP address of the local system from which the user attempts to
log on. For example, 12.10.2.105.
TERMINAL Returns the terminal type of the computer from which the user attempts to
log on. For example, /dev/pts/0.
Some applications (such as ssh or remsh) do not pass the terminal dynamic
variable value to PAM_AUTHZ.
TIMEOFTHEDAY Returns the current time of the computer system from which the user attempts
to log on. For example, 20061015125535Z represents October 15, 2006 at 12:55
and 35 seconds GMT. TIMEOFTHEDAY follows the “UTC Time” syntax as
described by RFC4517.
SERVICE Returns the name of the PAM service from which the user attempts to access.
For example, common PAM service names include ftp, login, telnet.
RHOSTIP Returns the IP address of the remote host system from which the user starts
the PAM enabled application, such as telnet.
RHOSTNAME Returns the name of the remote host system from which the user starts the
PAM enabled application, such as telnet.
Examples
The following shows a sample access rule in the pam_authz.policy file:
allow:ldap_filter:(WorkstationIP=$[HOSTIP])
The above policy rule performs a security policy validation for users stored in the LDAP directory
server. If a user, Mary, has a WorkstationIP attribute in her user entry in the LDAP directory
116 Administering LDAP-UX Client Services