LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Defining Attribute Types
Each attribute type definition, enclosed by <attributeTypeDefinition> tags, can contain
the following case-sensitive tags, in the order specified:
<oid>
Required. Exactly one numeric id must be specified. The <oid>
value must adhere to RFC 2252 format specification.
<name>
Required. At least one attribute type name must be specified.
Do not use quotes around the name values. The <name> value
must adhere to RFC 2252 format specification.
<displayName>
Optional. At most one display name can be specified. This tag
specifies a display name of the attribute type used by LDAP
clients and administrative tools. Currently, <displayName>
applies only to Active Directory Server (ADS) to specify
lDAPDisplayName and adminDisplayName if different from
the <name> value.
<desc>
Optional. At most one description can be specified. Do not use
quotes around the description value.
<obsolete>
Optional, use only if applicable. Obsolete attribute types cannot
be used in definitions of any other attribute types or object
classes. At most one obsolete flag can be specified.
<subTypeOf>
Optional, use if an attribute type has a super-type. At most one
super-type can be specified. The specified super-type must
already exist on the LDAP directory server, or its definition must
be specified in the same schema definition file.
<equality>
Optional. At most one matching equality rule can be specified.
<ordering>
Optional. At most one ordering rule can be specified.
<substr>
Optional. At most one substring matching rule can be specified.
<syntax>
Required if an attribute type has no super-type. At most one
LDAP syntax can be specified.
<length>
Optional indication of the maximum length of a value of this
attribute. RFC 2252 specifies this value in curly braces following
the attribute type’s syntax. For instance, "1.3.6.4.1.1466.0{64}”
can be expressed using the following tags:
<syntax>1.3.6.4.1.1466.0</syntax>
<length>64</length>
At most one syntax length value can be specified. <length>
must contain a positive integer value.
<singleValued> Optional, use if the SINGLE-VALUE flag is set. At most one
singleValued flag can be specified.
<collective> Optional, use if the COLLECTIVE-VALUE flag is set. At most one
collective flag can be specified.
<noUserModification> Optional, use if NO-USER-MODIFICATION flag is set. At most
one noUserModification flag can be specified.
<usage>
Optional, must contain one of the following possible values:
• userApplications
• directoryOperation
• distributedOperation
• dSAOperation
At most one usage value can be specified.
<indexed>
Optional, use if an attribute type requires indexing. At most one
indexed flag can be specified.
238 Command, Tool, Schema Extension Utility, and Migration Script Reference