Manualshelf

LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
41424344454647484950
Table Of Contents
NOTE: The keytab file should only be readable by the root user.
5. Synchronize the HP-UX clock to the Windows 2000 or 2003 clock. These must be synchronized
within two minutes. You can run Network Time Synchronizer to synchronize both clocks.
If the tool is not available, you can manually synchronize them by setting "Date/Time
Properties" on Windows 2000 or 2003 and running /etc/set_parms date_time on
HP-UX.
6. Configure /etc/pam.conf, the PAM configuration file which specifies PAM service
modules for PAM applications. To use PAM Kerberos as authentication module, edit
/etc/pam.conf to include the PAM Kerberos library
/usr/lib/security/libpam_krb5.1 for all four services: authentication, account
management, session management, and password management. A sample PAM configuration
file can be found in “Sample PAM Configuration File” (page 265).
NOTE: The sample file reflects the recommendation to keep the root user in /etc/passwd
local on each client machine, and to allow for local account management of the root user.
This guarantees local access to the system in case the network is down.
Step 4: Configure the Name Service Switch (NSS)
The Name Service Switch (NSS) needs to be modified to retrieve your account and group
information from Active Directory.
Save a copy of the file /etc/nsswitch.confand edit the original to specify the ldap name
service and other name services you want to use. Refer to /etc/nsswitch.ldap for an example.
You may be able to just copy /etc/nsswitch.ldap to/etc/nsswitch.conf. Refer to
nsswitch.conf(4) for more information.
Step 5: Configure the PAM Authorization Service Module (pam_authz)
This step is optional. You do this step only if you want to use pam_authz to control access rules
defined in the policy file, /etc/opt/ldapux/pam_authz.policy. LDAP-UX Client Services
provides a sample policy file, /etc/opt/ldapux/pam_authz.policy.template. This
sample file shows you how to configure the policy file to work with pam_authz. You can copy
this sample file and edit it using the correct syntax to specify the access rules you wish to authorize
or exclude from authorization. For more detailed information on how to configure the policy
file. see “PAM_AUTHZ Login Authorization ” (page 106).
Step 6: Configure the Disable Login Flag
Save a copy of the file /etc/opt/ldapux/dapux_client.confand edit the original to activate
the disable_uid_range flag. Uncomment the flag in the [NSS] portion of the file and fill in
the UID range. The format is disable_uid_range=uid#,[uid#-uid#], ....
For example: disable_uid_range=0-100,300-450,89
NOTE: • White spaces between numbers are ignored.
• Only one line of the list is accepted; however, the line can be wrapped.
• The maximum number of ranges is 20.
Step 7: Verify LDAP-UX Client Services for Single Domain
This section describes some simple ways you can verify the installation and configuration of
your LDAP-UX Client Services. You may need to do more elaborate and detailed testing, especially
if you have a large environment.
46 Installing LDAP-UX Client Services