LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

121

122

123

124

125

126

127

128

129

130

Table Of Contents

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
Table of Contents
Preface
- About This Document
1 Introduction
- Overview of LDAP-UX Client Services
- How LDAP-UX Client Services Works
2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
3 Active Directory Multiple Domains
- Domain Term Definitions
- Retrieving Data from a Remote Domain
  - Choosing Remote Domain Configuration or GCS
- Downloading an Automatic Profile
- Understanding the ldapux_client.conf Configuration File
- Resolving Duplicate Entries
- Changing Multiple Domain Configurations
- Limitations of Multiple Domains in Version B.03.00 or later
4 LDAP-UX Client Services with AutoFS Support
- Overview
- Automount Schemas
- Configuring Name Service Switch
- Configuring Automount Caches
- AutoFS Migration Scripts
5 LDAP Printer Configurator Support
- Overview
  - Definitions
- How the LDAP Printer Configurator works
  - Printer Configurator Architecture
- Printer Configuration Parameters
- Printer Schema and Attributes
  - Printer Attributes
    - Default Printer Attributes
    - Printer Attribute Mappings
- Managing the LP printer configuration
- Limitations of Printer Configurator
6 Dynamic Group Support
- Overview
- Specifying a Search Filter for a Dynamic Group
  - Creating an HP-UX POSIX Dynamic Group
- Multiple Group Attribute Mappings
  - Examples
  - Group Attribute Mappings
- Number of Group Members Returned
- Number of Groups Returned for a Specific User
- Performance Impact for Dynamic Groups
  - Enabling/Disabling enable_dynamic_getgroupsbymember
- Configuring Dynamic Group Caches
- Dynamic Group with Active Directory Server Multiple Domains
7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
  - Example
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
  - ldapclientd Caching
  - ldapclientd Persistent Connections
- Troubleshooting
8 Modifying User Information
- Changing Passwords
- Changing Personal Information
9 Mozilla LDAP C SDK
- Overview
- The Mozilla LDAP C SDK File Components
A Configuration Worksheet
B LDAP-UX Client Services Object Classes
- Profile Attributes
C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
D Sample PAM Configuration File
E Sample /etc/krb5.conf File
F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
H Sample PAM Configuration File for Security Policy Enforcement
Glossary
Index

User and Group Management

LDAP-UX Integration B.04.15 supports the new set of non-interactive LDAP command-line tools

that allow you to list, add, modify or delete user accounts and groups in an LDAP directory

server. These new tools provide capabilities to perform those operations without needing to

discover the LDAP server information. Each tool uses the LDAP-UX profile's configuration to

discover server information, such as the host name and port number of the LDAP directory

server and proper search filters for finding users and groups. Each tool provides command

options that enable you to alter these configuration parameters. Using these new tools does not

require you to have extensive knowledge of the LDAP schema, protocol and LDAP-UX

configuration of each directory server product. These tools performs installation specific data

model interpretation, such as converting uid-name based group membership (POSIX-style) to

X.500 DN based membership (LDAP-style).

The LDAP User and Group (UG) management tools support the following features:

• Create, modify, delete, or list users and groups in an LDAP directory server.

• Modify user or group password.

• Support attribute mapping for definition of POSIX attributes used when creating or modifying

entries.

• Support specification of group membership using X.500-style DN based member attributes.

• Provide customized and default templates for defining new user and group entries, which

allows arbitrary data models to be used.

• Support SSL or TLS encryption of data connections to the LDAP directory server if requested.

• Provide the ability to connect to an alternate directory server other than that specified by

the LDAP-UX configuration profile.

• Discover programmatically if LDAP-UX is installed, configured and operating properly for

a specified service.

The HP System Management Homepage (SMH) Users and Groups interface uses these LDAP

UG command line tools to implement the web-based user interface functionality that manages

POSIX users and groups in an LDAP directory server. This enables HP-UX system administrators

to manage users and groups in an LDAP directory server using SMH UG-LDAP web-based

interface on an HP-UX 11i v3 system. The HP System Management Homepage (SMH) product

supports the LDAP user and group web-based management feature via HP-UX 11i v3 September,

2007 release.

LDAP User and Group Command-Line Tools

The LDAP-UX Integration product supports the following LDAP command-line tools for

management of user and group information in an LDAP directory server. These LDAP user and

group tools exist in the /opt/ldapux/bin directory. For detailed information about tool usage,

syntax, options, arguments, environment variables and return codes supported by these tools,

see “The ldapuglist Tool” (page 175), “The ldapugadd Tool” (page 185),“The ldapcfinfo Tool”

(page 219), “The ldapugmod Tool” (page 202), “The ldapugdel Tool” (page 213) in the appendix

C, “Command, Tool, Schema Extension Utility, and Migration Script Reference” or the

ldapuglist(1M), ldapugadd(1M), ldapcfinfo(1M), ldapugmod(1M) and ldapugdel(1M)

man pages.

Use of the ldapugadd, ldapugmod and ldapugdel tools requires specification of LDAP

administrator credentials with sufficient privilege to perform the requested operations in an

LDAP directory server. Specification of these credentials can be done through the LDAP_BINDDN

and LDAP_BINDCRED environment variables or an interactive prompt (-P) option. If the LDAP

administrator credential has not been specified using the two previous methods, and if configured,

124 Administering LDAP-UX Client Services