LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
-ZZ
Attempts a TLS connection to the directory server, even if the LDAP-UX configuration
does not require the use of TLS. If a TLS connection cannot be established, a non-TLS
and non-SSL connection will be established. Do not use -ZZ unless alternative methods
are used to protect against network eavesdropping. Use of -ZZ requires that you define
a valid server or a CA certificate in the /etc/opt/ldapux/cert8.db file.
-ZZZ
Requires a TLS connection to the LDAP directory server, even if the LDAP-UX
configuration profile does not specify the use of TLS. Using the -ZZZ option requires
that you define a valid directory server or a CA certificate in the
/etc/opt/ldapux/cert8.db file. An error occurs if the TLS connection cannot be
established.
-N
Allows you to rename the Relative Distinguished Name (RDN) of an LDAP directory
server. In some cases, when an attribute is modified, it might be the same attribute that
is used in the RDN portion of the entry’s distinguished name. Changing the attribute
and value that is used in the RDN requires changing the RDN.
For example, an entry in the directory server is named “cn=Robert
Smith,ou=IT,dc=example,dc=com”. If the cn attribute is changed to “cn=Bob
Smith”, then the entry DN also needs to change to “cn=Bob
Smith,ou=IT,dc=example,dc=com”
Modification of an RDN is generally discouraged because the DN is often used as a
unique way to identify the entry in the directory server. Often DN is used to define
membership in a group. To prevent accidental changes to the DN, you must specify the
-N option to allow changes to the RDN. When the DN of an entry changes, the group
membership information for this entry might be inconsistent. Most directory servers
have the inherent ability to update all entries that refer to the updated DN of a changed
entry. Therefore, ldapugmod does not attempt to perform modifications to other entries
in the directory server that refer to this entry by its DN.
NOTE: The ldapugmod tool does not allow you to rename multi-valued RDNs. For
example, an RDN of “cn=test1+cn=test2” is not supported
-F Forces ldapugmod to modify the user or group entry in an LDAP directory server even
if particular error conditions occur. Those error conditions that can be overwritten are
as follows:
• The changed user name or group name already exists in the directory server.
• The changed user ID or group ID number already exists in the directory server.
• An attempt is made to modify the group of a user with a group ID that cannot be
found in any name service repository. In this case, the group ID number must be
specified.
• An attempt is made to force ldapugmod to add a member to a group when that
member is not defined in the LDAP directory server. In this case, membership is
always defined using the memberUid attribute, regardless of attribute mapping
defined for group membership.
-S
Displays the Distinguish Name (DN) of the deleted or updated entry when the operation
successfully completes.
Arguments
The following describes command arguments:
-t <type>
Specifies whether the command-line arguments are applicable to modify
the user or group entry. The valid types of this argument are passwd and
group. If you do not specify this argument, ldapugmod defaults to passwd.
The passwd type represents LDAP user entries that contain POSIX
account-related information. The group type represents LDAP group
entries that contain POSIX group-related information.
-h <hostname> Specifies the host name and optional port number (hostname:port) of
the LDAP directory server. This option overrides the server list specified
by the LDAP-UX configuration profile. This field supports specification of
LDAP User and Group Management Tools 203