LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
The ldapugadd Tool
You can use the ldapugadd tool to add new POSIX accounts and groups to an LDAP directory
server (as noted by the first and second syntaxes in “Synopsis” (page 186) below). You can use
ldapugadd to modify the /etc/opt/ldapux/ldapug.conf file to set defaults for creation
of new users or groups (as noted by the third syntax “Synopsis” (page 186) below).
The ldapugadd tool uses user and group template files that allow ldapugadd to conform to
the information model used for the types of entries being created. To use ldapugadd, you must
provide LDAP administrator credentials that have sufficient privilege to perform the user or
group add operation in the LDAP directory server.
This tool provides command-line options that enable you to add the following information to
the user or group entry:
For POSIX Accounts
• User's full name
• User ID (account name)
• User ID number
• User password
• Primary group membership
• Home directory
• Login shell
• Gecos
• Comments
For POSIX Groups
• Group ID (group name)
• Group ID number
• Group members
LDAP-UX supports a local LDAP UG configuration file, /etc/opt/ldapux/ldapug.conf.
The ldapugadd tool uses the ldapug.conf file to manage the default values for the
configuration parameters, uidNumber_range, gidNumber_range, user_gidNumber,
default_homeDirectory and default_loginShell. The ldapugadd tool uses these values
when creating new user and group entries in an LDAP directory server if a command-line option
is not provided for that specific value. You can use the ldapugadd -D command to change the
value defined in the ldapug.conf file. See “LDAP UG Tool Configuration File” (page 193) for
more information.
Template files are required by the ldapugadd tool. These template files define what data is
required to create new user and group entries and allow ldapugadd to discover required
attributes. Because each organization may have different required data models for user and
group entries (LDAP directory servers allow for a variety of attributes to be stored in user and
group entries), these templates may define arbitrary data models beyond just the required POSIX
attributes. Before creating new entries, applications can use the ldapcfinfo tool to discover
the attributes required by the templates that are not part of the standard POSIX data model. For
more information, see “Template Files” (page 194) .
Syntax Translation
LDAP-UX supports syntax translation for the memberUid and gecos attributes. This translation
allows storage of this information in a format more interoperable with other directory-enabled
applications. The LDAP user and group tools allow creation and modification of these attributes
in the LDAP-native syntaxes, even when specified using POSIX syntaxes.
For example, if the LDAP-UX configuration profile indicates the gecos attribute has been mapped
to cn, l and telephoneNumber attributes, then when you specify the GECOS values separated
by a comma for each mapped attribute in the ldapugadd command, the comma-separated list
is parsed and each comma-separated component is placed in the cn, l and telephoneNumber
LDAP User and Group Management Tools 185