LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
LDAP Directory Server Definition File
In order to properly install new attribute types in an LDAP directory server schema, the
ldapschema utility needs to determine whether the LDAP server supports the matching rules
and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs
an LDAP search for supported matching rules and syntaxes on the LDAP server. However, some
types of directory servers do not provide this information as part of the search.
You can perform the following commands to determine if your directory server returns
information about supported matching rules and LDAP syntaxes
1. To determine <schema DN>, run the following command:
/opt/ldapux/bin/ldapsearch —b "" —s base “(objectclass=*)”
subsechemasubentry
2. To obtain a list of supported matching rules and LDAP syntaxes, run the following command
using schema DN information obtained from step 1:
/opt/ldapux/bin/ldapsearch —b "<schema DN>" —s base “(objectclass=*)” \
matchingRules ldapSyntaxes
If the latter LDAP search in step 2 does not return a complete list of supported matching rules
and LDAP syntaxes, the directory server definitions must be specified in the
/etc/opt/ldapux/schema/schema-<ds_type>.xml file. The <ds_type> value must
correspond to the same value specified with the -T option on the ldapschema command line.
The case defined in <ds_type> must match identically to the case specified in the -T argument.
The LDAP directory server definition, enclosed by <dsSchemaDefintion> tags, optionally
specifies schema description, followed by any number of supported matching rules and LDAP
syntaxes definitions. For example, LDAP-UX provides the
/etc/opt/ldapux/schema/schema-ads.xml file which can be used to obtain a list of
syntaxes and matching rules that Windows ADS supports. Run ldapschema with the –T ads
option, the corresponding directory server definition is obtained from the
/etc/opt/ldapux/schema/schema-ads.xml file.
After general schema information is specified, supported matching rules, if any, must be specified
followed by any supported LDAP syntaxes definitions.
An Example of the Directory Server Definition File
The example below defines two syntaxes with <oid> values of 2.5.5.1 and 2.5.5.2 supported on
Windows ADS:
Line 1: <?xml version="1.0" encoding="UTF-8"?>
Line 2: <!DOCTYPE dsSchemaDefinition SYSTEM "/etc/opt/ldapux/schema/schema.dtd">
Line 3
LINE 4: <dsSchemaDefinition>
LINE 5:
Line 6: <schemaDescription>ADS Syntaxes</schemaDescription>
Line 7:
Line 8: <syntaxDefinition vendor="ads">
LINe 9: <oid>2.5.5.1</oid>
Line 10: <dessc>Distinguished Name</desc>
Line 11: <oMSyntax>127</oMSyntax>
Line 12: </syntaxDefintion>
Line 13:
Line 14: <syntaxDefinition vendor="ads">
LINe 15: <oid>2.5.5.2</oid>
Line 16: <desc>Object Identifier</desc>
Line 17: <oMSyntax>6</oMSyntax>
Line 18: </syntaxDefintion>
LINE 19:
Line 20: </dsSchemaDefintion>
244 Command, Tool, Schema Extension Utility, and Migration Script Reference