LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Another example, if the RFC 2307 attribute uidNumber has been mapped to the
employeeNumber attribute. Without the -m option, the output of the uidNumber field
is:
uidNumber: 520
When the -m option is specified, the output representing the uidNumber field is as
follows:
uidNumber[employeeNumber]: 520
The ldapuglist tool ignores the -m option if the -L option is specified.
-L Displays output following /etc/passwd or /etc/group format.
The output format for a user entry is as follows:
uid:userPassword:uidNumber:gidNumber:gecos:homeDirectory:loginShell
The output format for a group entry is as follows:
cn:userPassword:memberUid,memberUid,…
For example, run the following command to display the user entry that contains
uid=mscott:
ldapuglist -t passwd -L -n mscott
The output of the command is as follows:
mscott:x:200:250:mscott:/home/mscott:/usr/bin/sh
The ldapuglist tool ignores the -m option if the -L option is specified. The <attr>
parameter list is invalid if the -L option is specified.
-P
Prompts for the bind identity (typically LDAP DN or Kerberos principal) and bind
password. Without the -P option, ldapuglist attempts to get the bind identity and
password from the environment variables LDAP_BINDDN and LDAP_BINDCRED. If you
do not specify the LDAP_BINDDN or LDAP_BINDCRED environment variables,
ldapuglist gets information from the bind configuration specified in the LDAP-UX
configuration profile. If the LDAP-UX configuration profile has specified the “proxy”
bind, ldapuglist reads the bind credential from either the /etc/opt/ldapux/acred
or /etc/opt/ldapux/pcred file. The /etc/opt/ldapux/acred file is only used
by users who have sufficient administrative privilege to read that file.
-Z
Requires an SSL connection to the LDAP directory server, even if the LDAP-UX
configuration profile does not specify the use of SSL. Using the -Z option requires that
either a valid directory server or CA certificate is defined in the
/etc/opt/ldapux/cert8.db file. An error occurs if the SSL connection cannot be
established.
-ZZ
Attempts a TLS connection to the directory server, even if the LDAP-UX configuration
profile does not specify the use of TLS. If a TLS connection cannot be established, a
non-TLS and non-SSL connection will be established. HP does not recommend you to
use -ZZ unless alternative methods are used to protect against network eavesdropping.
Use of -ZZ requires that you define a valid LDAP directory server or CA certificate in
the /etc/opt/ldapux/cert8.db file.
-ZZZ
Requires a TLS connection to the LDAP directory server, even if the LDAP-UX
configuration profile does not specify the use of TLS. Using the -ZZZ option requires
that you define a valid directory server or CA certificate in the
/etc/opt/ldapux/cert8.db file. An error will occur if the TLS connection can not
be established.
Arguments
The following describes command arguments:
176 Command, Tool, Schema Extension Utility, and Migration Script Reference