LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
1. Type yes for the following question:
Do you want to remap any of the startdard RFC 2307 attributes? [yes]:
yes
2. Select the group service by entering 3 for the following question and press the return key:
Specify the service you want to map? [0]: 3
3. Enter 3 for the following question and press the return key:
Specify the attribute you want to map? [0]: 3
4. Enter the attributes you want to map to the member attribute:
[memberuid]: member
NOTE: LDAP-UX supports DN-based (X.500 style) membership syntax. This means that
you do not need to use the memberUid attributes to define the members of a POSIX group.
Instead, you can use either the member or uniqueMember attribute. LDAP-UX can convert
from the DN syntax to the POSIX syntax (an account name).
For ADS, the typical member attribute would be either memberUid or preferably the member
attribute.
5. Follow the prompts to finish the setup.
Step 2: Install the PAM Kerberos Product
LDAP-UX Client Services with Active Directory uses the Kerberos Authentication method. If
not already available on your system, you will need to install and configure PAM Kerberos.
Some instructions for doing this are shown later in this step. Additional information can be found
in the Configuration Guide for Kerberos Products on HP-UX, available at
http://docs.hp.com/hpux/internet.
In order to support integration with Active Directory server, a specific version of the
PAM-Kerberos product is required. On HP-UX 11i v1, version 1.11 of the PAM-Kerberos product
is required. On HP-UX 11i v2, version 1.23 of the PAM-Kerberos product is required.
If you wish to also use SASL/GSSAPI for proxied authentication, version 1.3.5.03 of the Kerberos
Client product is required. Version 1.3.5.03 of the Kerberos Client is a replacement for the
KRB5-Client components of the core HP-UX OS. This version is planned to be made available
late June, 2005. Please note that the KRB5CLIENT product is a superior product to previous
KRB5-Client patches (such as PHSS_33384). Although patch PHSS_33384 is required, and designed
to install over the core Kerberos client patch, and it will not overwrite the KRB5CLIENT product.
You need to add ipnodes service information in the /etc/nsswitch.conf file as follows:
ipnodes: dns files.
NOTE: For more information, refer to Kerberos Client Version 1.3.5.03 Release Notes available at
http://docs.hp.com/hpux/internet.
Both "PAM Kerberos" (J5849AA) and "Kerberos Client" (KRB5CLIENT) products can be
downloaded from http://software.hp.com. They are available at: http://
software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849 AA and
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT
Refer to the Configuration Guide for Kerberos Products in HP-UX Release Notes, available at
http://docs.hp.com/hpux/internet for any last minute changes.
You also need to install the required patch. For patch infomation, refer to LDAP-UX Integration
B.04.10 Release Notes available at http://docs.hp.com/hpux/internet.
44 Installing LDAP-UX Client Services