LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
add the user as a member of the specified group using the
ldapugmod -t group command.
To support numeric group names, ldapugadd always attempts
to resolve the specified argument as a group name (even if it is
a numeric string). If the specified argument is not found as a
group name, ldapugadd checks to see if the argument is a
numeric string and if so, uses that as the group ID number. If
that numeric group cannot be found in any active name service
repository, ldapugadd issues an ERROR message. If the specific
argument is not numeric and can not be found in an active name
service repository, ldapugadd exits with an ERROR and does
not create the new entry.
If you do not specify this argument, the user becomes a member
of the default login group as specified by the ldapugadd -D
-g <default_gid> command.
-G <group/gid>[,...]
Optional. Specifies the user's alternate group memberships.
<group/gid> is the POSIX group name or the group ID number.
The specified <group> name must exist in the directory server
(not in the /etc/group file). If the specified group name is
invalid or does not exist in the directory server, ldapugadd
issues a warning message for each invalid group. To support
numeric group names, ldapugadd always attempts to resolve
the specified argument as a group name (even if it is a numeric
string). If the specified argument is not found as a group name,
ldapugadd checks to see if the argument is a numeric string
and if so, use that as the group ID number. Only if the user entry
is successfully created , ldapuguadd will call the ldapugmod
-t group for each <group> specified to add the user to listed
groups. If you specify more than one group, you must separate
each group by a comma. No white space is allowed between or
within group names. If ldapugadd fails to add the user as a
member of a particular group, ldapugadd issues a warning
message and continues to add the user to the remaining groups
specified.
If you do not specify this argument, ldapugadd does not add
the user to alternate groups.
-s <login_shell>
Optional. Specifies the full path name to the executable that is
used to handle login sessions for this user.
If this argument is not specified, the default, as configured by
the ldapugadd -D -s <default_shell> command, is used.
-d <home_directory>
Optional. Specifies the full path name (including the user name)
of the user’s home directory.
If you do not specify this argument, the combination of the
default base directory as configured by ldapugadd -D -d
<home_directory> and the user’s account name is used. If
you want to create the home directory on this system, you must
specify the -m option.
-I <gecos> Optional. Specifies GECOS fields for the user. Typically the GECOS
argument contains the following four fields which represent (in
order):
• The user’s full name
• The user’s work location
LDAP User and Group Management Tools 189