LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
Search filter [(objectclass=printerlpr)]: (objectclass=printQueue)
25. Enter Yes to the question Are you ready to create the Profile Entry?, then press any key to
continue.
26. At this point, you will choose whether or not to configure for Multiple Domains.
• If you will not be configuring for Multiple Domains, enter “no” to the following question,
then continue to step 27:
Do you wish to configure multiple-domain support?
• If you will be configuring for Multiple Domains: enter Yes to the question Do you wish
to configure multiple-domain support?
If you will be using Remote Domain Configuration, enter Yes to the next question Do
you wish to configure a list of remote-domain profiles before attempting to use the
Global Catalog Server? If you enter No, skip the remaining comments in this bullet,
and proceed to the next bulleted item.
You will loop through a series of screens which will allow you to create as many profiles
as you wish (one profile will be created for each pass through the loop).
Read the explanation paragraph(s) in the next screen carefully before answering the
question, then enter the appropriate domain name.
Next, you will return to step 3 through step 25 of this procedure for each profile to be
created.
When you have added as many profiles as you wish, enter No to the question Do you
wish to configure another profile for remote domain?
• If you will be using the GCS, enter Yes to the next question Do you wish to use ADS
Global Catalog Server to automatically resolve account information for users in
remote domains?. If you enter No, then proceed to step 27, below.
Otherwise, you will return to step 3 through step 25 of this procedure to create the
profile for the GCS.
NOTE: When you configure the default search base for the GCS, you must make sure
that the base covers everything that you want to include. For example, for a forest
containing two domain trees (ca.hp.com and ny.hp.com), if you specify ca.hp.com as
the GCS search base, all of the data under the ny.hp.com domain tree will not be
found. You must specify hp.com to cover the entire forest. The setup tool provides the
root domain as the default search base. You must override it in order to cover the entire
forest.
Read the instructions on each screen, carefully, as some of the answers to these questions
will be different than the last two times you went through these questions.
When you have finished building the profile for the GCS, configure the profiles for each
domain that is used by the global catalog search.
To configure the profiles for each domain that is used by the global catalog search, you
will again return to step 3 through step 21 of this procedure until you have configured
each profile needed by the global catalog search.
When this process is complete, continue to the next step.
27. Reply to the question, Would you like to start/restart the LDAP-UX daemon.
Starting with LDAP-UX Client Services B.03.20 or later, the product daemon,
/opt/ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work.
With LDAP-UX Client Services B.03.10 or earlier, running the client daemon, ldapclientd,
is optional. For LDAP-UX Services B.03.10 or earlier, users need to start the LDAP-UX
daemon in order to use multiple domains and X.500 features.
Configuring LDAP-UX Client Services 41