LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
The setup program asks you a series of questions and usually provides default answers.
Press the Enter key to accept the default, or change the value and press the Enter key. At
any point during setup, press the Control-b keys to return to the previous screen or press
the Control-c keys to exit setup.
2. Choose Windows 2000, 2003 or 2003 R2 as your LDAP directory server (option 2).
3. Enter either the host name or IP address of the directory server where your profile exists,
or where you want to create a new profile.
4. Enter the port number of the previous specified directory server that you want to store the
profile, from Appendix A. The default port number is 389.
5. Setup will check the directory to see if the schema has been extended with the LDAP-UX
Client Services object class DUAConfigProfile, enter the DN (Distinguished Name) and
password of a user. This must be done once. See Appendix B for a detailed description of
these object classes.
If the schema has already been extended, setup skips this step. Otherwise, to extend the
schema, enter the DN and password of a directory user who can extend the directory schema
from Appendix A.
6. If the new automount schema has already been imported, setup skips this step.
Otherwise, you will be asked whether or not you want to install the new automount schema
which is based on RFC 2307-bis. Enter "yes" to extend the new automount schema into the
LDAP directory server. Enter "no" if you do not want to import new automount schema into
the LDAP directory server. Setup skips to step 7 if you enter "no".
7. For new profiles, the profile object must be created under the 'ConfigurationNamingContext'
container, which is usually CN=Configuration, <domain root>, or it can be created
under any path with an object class of 'Container'. These container entries must exist before
any new profile entries can be created.
8. Enter either the DN of a new profile, or the DN of an existing profile, from Appendix A.
To display all the profiles in the directory, use a command like the following:
ldapsearch -D <directory user> -w <credentials> -s sub
-b "CN=System, DC=cup, DC=hp, DC=com" -h <Active Directory host>
-p <Active Directory port> objectclass=DUAConfigProfile
If you are using an existing profile, setup configures your client, downloads the profile, and
exits. In this case, continue by going to the section “Step 2: Install the PAM Kerberos Product”
(page 44).
9. If you are creating a new profile, enter the DN and password of a directory user who can
create a new profile, from Appendix A.
10. Choose the attribute map set to be used with the directory server. You can select SFU 2.0
(option 1), SFU 3.0/SFU3.5 (option 2) or RFC2307 (option 3). By default, the SFU 3.0/SFU3.5
(option 2) is used as the attribute map set.
11. Setup now checks the value of the enable_starttls parameter. Setup also checks if the
certificate database files, cert7.db or cert8.db and key3.db, exist on your client system.
If these files do not exist, setup skips this step.
If the value of the enable_starttls parameter is 0 (disabled) or undefined, you will be
asked whether you want to use SSL or not. Enter "yes" if you want to use SSL for the secure
communication between LDAP clients and the Windows 2000, 2003 or 2003 R2 Active
Directory Server. Enter "no" if you don't want to use SSL. Continue to step 12.
Otherwise, if the value of the enable_starttls parameter is 1 (enabled), you will be
asked whether you want to use TLS or not. Enter "yes" if you want to use TLS for the secure
communication between LDAP clients and the Windows 2003 or 2003 R2 Active Directory
Server. Enter "no" if you don't want to use TLS. Continue to step 12.
Configuring LDAP-UX Client Services 37