LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
-n <new_name> Specifies the new name of the user or group. This option replaces the uid
attribute for user entries or the cn attribute for group entries with the new
name, or the mapped attribute if attribute mapping has been specified for
that attribute. The <new_name> argument specifies the new name of the
user or group. Using -n is the same as replacing the corresponding attribute.
For example, the following two commands perform the same operation,
replacing old uid with new uid for a user entry (assuming no attribute
mapping) :
ldapugmod -t passwd -n newuid olduid
Is the same as:
ldapugmod -t passwd olduid "uid=newuid"
Options Applicable to -t passwd
The following is a list of valid options for -t passwd:
<uid_name>
Required. Specifies the POSIX style login name of the user entry
to modify. You must specify the <uid_name> parameter unless
you specify the -D option. This user name must conform to HP-UX
login name requirements. Refer to man page passwd(4) for login
name requirements.
-f <full_name>
Replaces the user’s full name. If is an empty string (a pair of double
quotes: ""), ldapugmod removes the cn (or mapped) attribute.
See the “WARNING” section below for impacts when using this
option.
-u <uidNumber> Replaces the user’s numeric ID number. If uidNumber is an empty
string (a pair of double quotes: ""), ldapugmod removes the
uidNumber or mapped attribute. If the specified uidNumber
value already exists in the directory server, ldapugmod does not
modify the entry and returns an error exit status, unless you
specify the -F option.
-g <group/gid>
Replaces the user's primary login group ID number. If
<group/gid> is an empty string (a pair of double quotes: ""),
ldapugmod will remove the gidNumber or mapped attribute. In
order to support numeric group names, ldapugmod treats the -g
argument as a group name. If ldapugmod cannot find a matched
numeric group name in the directory server, it checks to see if the
value is numeric and then checks to see if the specified group ID
number exists. If it does not exist, ldapugmod exits with an error,
unless you specify the -F option.
NOTE: The dapugmod tool does not modify the user’s group
membership when chaining the primary group ID. Adding the
user as a member of the new group and possibly removing the
member from the previous group must be done with separate
ldapudmod operations.
-s <login_shell>
Replaces the full path name to the executable that is used to handle
login sessions for this user.
If the <login_shell> argument is an empty string (a pair of
double quotes: ""), ldapugmod removes the loginShell or
mapped attribute.
The ldapudmod tool issues a WARNING if the specified login
shell does not exist on the local system. See the “WARNING”
section below for impacts when using this option.
LDAP User and Group Management Tools 205