LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
NOTE: To support non-interactive use of the ldapuglist, ldapugadd, ldapugmod and
ldapugdel commands, you can use the LDAP_BINDDN and LDAP_BINDCRED environment
variables to specify an LDAP administrator's identity and password, and use the LDAP_UGCRED
environment variable to specify the user's or group's password being created or modified. To
prevent exposure of these environment variables, you must unset them after use. The shells(4)
command history log may contain copies of the executed commands that show setting of these
variables. You must protect access to a shell’s history file. Specification of the LDAP administrator’s
credentials on the command line is not allowed, because information about the currently running
processes can be exposed externally from the session. Using the -P command option eliminates
the LDAP_BINDDN and LDAP_BINDCRED environment variables by interactively prompting for
the required administrator's credentials. Using the -PP command option eliminates LDAP_UGCRED
by interactively prompting for the required password of the user or group being created or
modified.
Return Value Formats
Upon exit, ldapuglist, ldapugadd, ldapugmod, ldapugdel or ldapcfinfo returns a 0
(zero) exit status if no errors or warnings are encountered. A non-zero exit status is returned and
one or more messages are logged to stderr if these tools encounter an error or warnings. Messages
follow the below format:
ERROR: <code>:
<message>
or
WARNING: <code>:
<message>
Leading extra white space may be inserted to improve readability and follow 80 column screen
formatting. <code> is a programmatically parsable error key-string, while <message> is
human-readable text.
Common Return Codes
Table C-5 lists common return codes used by ldapuglist, ldapugadd, ldapugmod, ldapugdel
and ldapcfinfo.
For detailed information on a list of specific return codes for each tool, see the “Specific Return
Codes for ldapuglist”, “Specific Return Codes for ldapugadd”, “Specific Return Codes for
ldapugmod”, “Specific Return Codes for ldapugdel” or “Specific Return Codes for ldapcfinfo”
sections.
Table C-5 Common Return Codes
MessageReturn Code
Unable to initialize LDAP-UX library backend.
LDAP_INIT_FAILED
Cannot read the ldapux_profile.bin file.GET_LDAP_CONFIG_FAILED
Cannot reset the port number.
REPLACE_PORT_FAILED
The specified authentication method is invalid.
INVALID_AUTH_MATHOD
Unable to read input from stdin for the specified command option
value.
READ_INPUT_FAILED
The LDAP_BINDDN environment variable is set, but
LDAP_BINDCRED is not set.
GETENV_FAILED
The bind Password has expired.
BIND_PASSWORD_EXPIRED
The specified bind credential is invalid.
BIND_INVALID_CRED
LDAP-UX failed to bind to the LDAP directory server.
BIND_ERR
172 Command, Tool, Schema Extension Utility, and Migration Script Reference