LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
UG tool configuration file,
/etc/opt/ldapux/ldapug.conf.
-u <min_uid>:<max_uid>
Sets new default minimum and maximum ranges that
ldapugadd uses when provisioning an UID number for
newly created user entries. The UID range is inclusive of the
specified end values.
-g <default_gid>
Specifies the default group ID number used when creating
new user entries. To avoid ldapugadd from displaying
warning messages, you must specify this group ID which
represents a POSIX-style group stored in the LDAP directory.
If this group ID is not defined in the LDAP directory,
ldapugadd displays a warning message every time it adds
a new user using this default group ID, because ldapugadd
cannot add the user as a member of that group.
-g <min_gid>:<max_gid>
Sets new default minimum and maximum ranges that
ldapugadd uses when provisioning a GID number for newly
created group entries. The GID range is inclusive of the
specified end values. Use the colon character to indicate that
a range has been specified.
-s <default_shell>
Specifies the default login shell to use when creating new user
entries.
-d <default_home>
Specifies the default parent home directory to use when
creating new user home directories.
Arguments Applicable to -t passwd
The following is a list of valid arguments for -t passwd:
<uid_name>
Required. Specifies the POSIX style login name for the new user
entry. This user name must conform to HP-UX login name
requirements. For more information, refer to man page
passwd(4) for login name requirements. The <uid_name>
argument is a required parameter. This argument must follow
all command-line options and must precede the
<attr>=<value> parameters (if provided).
-f <full_name> Optional. This option is required only for the passwd service
and is used to specify the user’s full name. If you do not specify
this argument, the user's full name defaults to the account name.
-u <uid_number>
Optional. Specifies the user’s numeric ID number. If the specified
uidNumber value already exists in the directory server,
ldapugadd does not add the new entry and returns an error
status, unless you specify the -F option.
If this argument is not specified, ldapugadd randomly selects
a new user ID number from the uidNumber range specified by
the ldapugadd -D -u command. If you do not specify the
uidNumber range with the ldapugadd -D -u command,
ldapugadd randomly selects a value from default UID range
specified in the /etc/opt/lapux/ldapug.conf file. If
ldapugadd randomly selects a uidNumber that is already in
use on the directory server, ldapugadd then randomly selects
another uidNumber and tries again until it finds an unused
uidNumber or exhausts retry attempts. Retry attempts are limited
to 90% of the range of available uidNumbers (specified with -D
-u <min_uid>:<max_uid>).
-g <group/gid>
Optional. Specifies the user's primary login group name or ID
number. After creating the user entry, ldapugadd attempts to
188 Command, Tool, Schema Extension Utility, and Migration Script Reference