LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
server. Instead use the -R option to remove arbitrary attributes.
See the “WARNING” section below for impacts when using this
option
Options Applicable to -t group
The following is a list of valid options for -t group:
<group_name>
Required. Specifies the POSIX style textual group name for the group
entry to modify. You must specify the group name if you do not
specify the -D option. This group name must conform to HP-UX
group name requirements. Refer to man page group(4) for group
name requirements.
-g <gidNumber> Replaces the group’s numeric ID number. If the specified gidNumber
value already exists in the directory server, ldapugmod does not
modify the group entry and return an error status, unless you specify
the -F option.
-a <member>[,...]
Adds one or more members to the specified group.
The ldapugmod tool follows the same membership syntax defined
by the LDAP-UX configuration profile attribute mapping. Specifically,
if LDAP-UX has mapped the RFC 2307 group membership attribute,
memberUid, to a DN-based membership attribute such as member
or uniqueMember, then ldapugmod defines membership using the
DN of the specified user. When specifying a list of members, you
must use a comma with no white space to separate each member. If
the memberUid attribute has been mapped to more than one attribute
type, ldapugmod uses the first attribute defined by the mapping. If
the specified <member> does not exist in the LDAP directory, you
must use -F to define the member, and only use the memberUid
attribute syntax.
NOTE: The ldapugmod tool can add members only to a group that
follow a static membership syntax (such as memberUid, member and
uniqueMember). If the only membership mapping defined in the
LDAP-UX configuration profile uses a dynamic group membership
syntax (such as memberURL), ldapugmod fails to add a member to
a group.
-r <member>[,...]
Removes one or more members from the specified group.
The ldapugmod tool searches for membership in the group using
the memberUid, member, uniqueMember, and
msSFU30posixMember attributes and removes all values that
represent the specified user (either DN or uid name). The ldapugmod
tool consults the LDAP-UX configuration profile for attribute
mappings to determine which attributes need to be modified to
remove the user membership. When specifying a list of members,
you must use a comma with no white space to separate each member.
-c <comment> Replaces a comment that is stored in the description attribute as
defined by RFC 2307. LDAP-UX does not support attribute mappings
for the description attribute. If <comment> is an empty string,
ldapugmod removes the description or mapped attribute.
<attr>=<value>>
Enables modification of arbitrary LDAP attributes and values. The
<value> parameter may be an empty string. However this usage
does not remove attributes and their values from the directory server.
Instead, use the -R option to remove arbitrary attributes. See the
“WARNING” section below for impacts when using this option
LDAP User and Group Management Tools 207