LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
The -O option functions properly with a Windows 2003 R2 ADS, because it uses standard RFC
2307 attributes with exception of the homeDirectory attribute. If ldapugdel is used to access
a Windows 2003 R2 ADS, the ldapugdel -t passwd -O command removes the
posixAccount object class and following attributes,
• uidNumber
• gidNumber
• loginShell
• gecos
The ldapugdel -t group -O command removes the posixGroup object class and following
attributes:
• gidNumber
• memberUId
• userPassword
NOTE: The Microsoft Services for UNIX (SFU) schema does not use RFC 2307 standard attribute
mapping. Also, ldapugdel does not support attribute mapping as defined by the LDAP-UX
configuration profile when the tool is used to access a Windows ADS 2000/2003 with msSFU 2.0
or msSFU 3.0/3.5 schema installed. When the -O option is specified and ldapugdel determines
that it is connected to a Windows ADS with these schema installed, ldapugdel does not remove
the mapped POSIX object class and attributes (msSFU30xxx or msSFU20xxx) for the specified
user or group entry.
Examples
This section provides examples of using ldapugdel.
Use LDAP_BINDDN to specify the Distinguished Name (DN) of a user with sufficient directory
server privilege to delete users or groups in the LDAP directory server. Use LDAP_BINDCRED
to specify a password for the LDAP user specified by LDAP_BINDDN. Alternately, you can input
LDAP administrator bind identity and credential interactively with a prompt (-P) option.
Run the following commands to specify the LDAP_BINDDN and LDAP_BINDCRED environment
variables:
export LDAP_BINDDN = "cn=Jane Admin,ou=admins,dc=org,dc=example,dc=com"
export LDAP_BINDCRED = "Jane's password"
Run the following commands to delete the entire user account entry, skeith:
cd /opt/ldapux/bin
./ldapugdel -t passwd skeith
In this example, ldapugdel is used to access a Windows 2003 R2 ADS. The following command
deletes only the posixAccount object class and associated attributes, uidnumber, gidNumber
loginShell and gecos, without delete the entire user entry, msmith:
./ldapugdel -t passwd -O msmith
Run the following command to delete the entire group entry with the Distinguished Name,
“cn=groupA,ou=groups,dc=example,dc=com":
./ldapugdel -t group -D "cn=groupA,ou=groups,dc=org,dc=example,dc=com"
In this example, ldapugdel is used to access a Windows 2003 R2 ADS. The following command
to delete only the posixGroup object class and associated attributes, gidNumber, memberUid
and userPassword, without delete the entire group entry, groupB:
./ldapugdel -t group -O groupB
136 Administering LDAP-UX Client Services