LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
-t <type> Specifies the type of entry the ldapuglist tool needs to discover and
process. The valid types of this option are passwd and group. The passwd
type indicates posixAccount-type entries. The group type indicates
posixGroup-type entries. Specification of the <type> parameter tells
ldapuglist how to handle processing of search filters and attribute
mappings. If you do not specify the -t option, ldapuglist assumes the
passwd type. For example, - t group.
-h <hostname>
Specifies the host name and optional port number (hostname:port) of the
LDAP directory server. This option overrides the server list configured in
the LDAP-UX configuration profile. This field supports specification of
IPv4 and IPv6 addresses. Note that when you specify a port for an IPv6
address, you must specify the IPv6 address in square-bracketed form. If
the optional port is unspecified, the port number is assumed to be 389 or
636 for SSL connections (with the -Z option). For example, -h ldapsrvA.
-p <port>
Specifies the port number of the LDAP directory server to contact. The
ldapuglist tool ignores this option if you specify the port number in the
<hostname> as part of the -h option.
-n <name>
Provides a simplified method for discovering a single account or group.
Use of -n is the same as -f “(uid=<name>)” for accounts and -f
“(cn=<cname>)” for groups. Do not specify -f and -F on the command
line if you use -n. For example, the following command displays an account
entry for the user, mlee:
ldapuglist -t passwd -n mlee
The output from the above command is as follows:
dn: cn=Mike Lee,ou=people,dc=example,dc=com
cn: Mike Lee
uid: mlee
uidNumber: 900
gidNumber: 2010
loginShell: /usr/bin/sh
homeDirectory: /home/mlee
gecos: mlee,Building-5,555-555-5555
-f <filter> Specifies an LDAP-style search filter, <filter>, used to select specific
entries from the LDAP directory. When you use the -f option, the filter
specified by <filter> applies to Posix-style users or groups (depending
on whether you specify the -t passwd or -t group option).
The filter specified with -f is amended with the default ldapux(5) search
filter for either the user or group object types. In addition, when you use
-f, if a known attribute for the particular service has been mapped as
defined in the LDAP-UX configuration profile, then the mapped attribute
name is substituted in the search filter.
For example, if the uidNumber attribute has been mapped to the
employeeNumber attribute, the following command lists a POSIX account
that has uidNumber=51552:
ldapuglist -t passwd -f “(uidNumber=51552)”
For the above example, the mapped attribute name is substituted in the
search filter, and the resulting search filter used by LDAP-UX is as follows:
(&(objectclass=posixAccount)(employeeNumber=51552))
The -f option also supports generation of search filters for the
multi-mapped attributes, gecos and memberUid. In the case of gecos,
each mapped attribute is used in the search filter using the LDAP and
LDAP User and Group Management Tools 177