LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
attributes. If the memberUid attribute has been mapped to the member attribute (where the
member ID syntax is defined using a distinguished name [DN]), then ldapugadd translates the
memberUid account name to a DN before placing the member attribute. If the memberUid
attribute has been mapped to more than one attribute type, ldapugadd uses the first attribute
defined by the mapping.
Synopsis
ldapugadd [-t passwd] [options] <uid_name>
[-h <hostname>] [-p <port>] [-b <base>] [-u <uid_number>]
[-g <group/gid>] [-f <full_name>] [-x <domain>] [-G <group/gid>[,...]]
[-s <login_shell>] [-d <home_directory>] [-I <gecos>][-c <comment>]
[-m [-k <skel_dir> [-T <template_file> [[<attr>=<value>][...]]
ldapugadd -t group [options] [-h <hostname>] [-p <port>]
[-b <base>] [-g <gidNumber>], [-x <domain>] [-M <member>[,...]]
[-c <comment>] [-T <template_file>] <group_name>
[[<attr>=<value>][...]]
ldapugadd -D [-g <default_gid>] [-d <default_home>] [-s <defult_shell>]
[-u <min_uid>:<max_uid>] [-g <min_gid>:<max_gid>]
Options
The ldapugadd tool supports the following command options:
-P
Prompts for the administrator bind identity (typically LDAP DN or Kerberos principal)
and bind password. If you do not specify the -P option, ldapugadd discovers the bind
identity and password from the environment variables LDAP_BINDDN and
LDAP_BINDCRED. Values set with a prompt (-P) option override values specified in the
environment variable. If the LDAP_BINDDN and LDAP_BINDCRED environment variables
have not been specified, ldapugadd uses the bind configuration specified in the
LDAP-UX configuration profile. If the LDAP-UX configuration profile has specified the
“proxy” bind, ldapugadd reads the bind credential from either the
/etc/opt/ldapux/acred or /etc/opt/ldapux/pcred file. The
/etc/opt/ldapux/acred file is only used by users that have sufficient administrative
privilege to read this file.
-PP
Prompts for the password of the user or group being created. If attribute mapping for
the userPassword attribute in the LDAP-UX configuration profile has not been defined
or set to *NULL*, ldapugadd will create new password in the userPassword attribute.
To ensure accuracy, the user is prompted twice for the password. The ldapugadd tool
relies on the LDAP directory server for setting of password policy, such as
user-must-change-password-at-first-login.
-PW Sets the user or group password attribute. If attribute mapping for the userPassword
attribute in the LDAP-UX configuration profile has not been defined or set to *NULL*,
ldapugadd will create new password in the userPassword attribute. If you specify
-PW, you must specify either the LDAP-UGCRED environment variable or the -PP option.
-Z
Requires an SSL connection to the LDAP directory server, even if the LDAP-UX
configuration profile does not specify the use of SSL. Using the -Z option requires that
you define either a valid LDAP directory server or CA certificate in the
/etc/opt/ldapux/cert8.db file. An error occurs if the SSL connection cannot be
established.
-ZZ
Attempts a TLS connection to the directory server, even if the LDAP-UX configuration
profile does not specify the use of TLS. If a TLS connection cannot be established, a
non-TLS and non-SSL connection will be established. HP recommends that you do not
use -ZZ unless alternative methods are used to protect from network eavesdropping.
Use of -ZZ requires that you define either a valid LDAP directory server or CA certificate
in the /etc/opt/ldapux/cert8.db file.
186 Command, Tool, Schema Extension Utility, and Migration Script Reference