LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Adding Additional Domain Controllers
Your Active Directory contains configuration profiles downloaded by each client system and
name service data accessed by each client system. As your environment grows, you may need
to add additional domain controllers to your environment. Follow these steps:
1. Use the dcpromo.exe tool to install and configure a new Active Directory domain controller.
For more information, refer to the respective literature on Active Directory or check
Microsoft's library at http://msdn.microsoft.com/library/default.asp
2. Install the Server for NIS to view and edit the POSIX attributes of your user objects.
Alternatively, the ADSI edit snap-in can be used to modify POSIX attributes. This only needs
to be done if POSIX attributes are being maintained on this domain controller.
3. Create a new profile that specifies the new domain controller. The new profile can be identical
to another profile, except the preferredServerList attribute specifies a new domain
controller. Refer to “Creating a New Profile” (page 142).
Refer to “LDAP-UX Client Services Object Classes” (page 159) for a description of the
preferredServerList attribute.
4. On all clients that are to use the new controller, edit the start-up file,
/etc/opt/ldapux/ldapux_client.conf, to refer to the new domain controller and
the new profile. Modify the PROFILE_ENTRY_DN line as described under“Changing Which
Profile a Client is Using” (page 142). Modify the LDAP_HOSTPORTline to specify the domain
controller server.
5. Download the new profile from the new domain controller as described in “Downloading
the Profile Periodically” (page 55).
Adding Users, Groups, and Hosts
Select one of the following methods to add data to ADS.
• You can create user, group, and other service objects by using the object classes and attributes
specified by RFC 2307. In this situation you must import an ldif file with all RFC 2307
object classes and attributes specified.
• Alternatively, you can add users, groups, and hosts using the Windows 2000 or 2003 Active
Directory Users and Computers administrative tool. If using Active Directory Users and
Computers, perform the following to set POSIX attributes:
1. Start Active Directory Users and Computers.
2. Click the users (or computers) you want to set for POSIX attributes.
3. Select Properties from the Action menu.
4. Click the Unix Attributes tab.
5. In the NIS Domain box, select a NIS domain from the list. Server for NIS creates a
default NIS domain based on your Active Directory domain name.
6. For users, fill in the UID, Login Shell, Home Directory, and Primary group name/GID
fields. Click OK.
For hosts, fill in the IP Address and the Alias Name. Click OK.
• Add networks, protocols, services, rpc objects, or set POSIX attribute memberUID for groups
using the ADSI edit snap-in tool. These object classes and attributes cannot be populated
from the Active Directory Users and Computers tool.
1. On your domain controller, click Start, then Run. In the Open dialog box, entermmc,
then click OK.
2. Click the Microsoft Management Console menu, then select Add/Remove Snap-In.
3. In the Add/Remove Snap-In dialog box, click Add.
4. In the Add Standalone Snap-In dialog box, select ADSI Edit, then click Add and then
Close.
122 Administering LDAP-UX Client Services