LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
pw_audid..........(0)
pw_audflg.........(0)
Use the following beq command if you run on 64 bit of an HP-UX 11i v2 or v3 IA machine:
./beq -k n -s pwd -l /usr/lib/hpux64/libnss_ldap.so.1 iuser1
Use the following beq command if you run on 32 bit of an HP-UX 11i v2 or v3 IA machine:
./beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 iuser1
Refer to "beq Search Tool" in “Command, Tool, Schema Extension Utility, and Migration
Script Reference” (page 163) for command syntax and examples.
5. Log in to the client system from another system using rlogin or telnet. Log in as a user in
the directory and as a user in /etc/passwd to make sure both work.
6. Optionally, test your pam_authz authorization configuration:
If the pam_authz is configured without the pam_authz.policy file, verify the followings:
a. Log into the client system from another system using rlogin or telnet. From there
log in to the directory as a member from +@netgroup to verify that pam_authz
authorizes you and is working correctly.
b. Log in as a user to the directory as a member of a-@netgroup to be sure that the system
will not authorize you to login.
If the pam_authz is configured with the pam_authz.policy file, verify the followings:
a. Log in the client system with a user name that is covered by an allow access rule in
the policy file. Make sure the user will be allowed to log in.
b. Log in as a user that is covered by adeny access rule in the policy file. Make sure the
user can not login to the client system.
7. Open a new hpterm (1X) window and log in to the client system as a user whose account
information is in the directory. It is important you open a new hpterm window or log in
from another system because if login does not work, you could be locked out of the system
and would have to reboot to single-user mode.
This tests the PAM configuration in /etc/pam.conf. If you cannot log in, check
/etc/pam.conf for proper configuration. Also check your directory to make sure the user
account information is accessible by the proxy user or anonymously, as appropriate. Check
your profile to make sure it looks correct. Also refer to “Troubleshooting” (page 145) for
more information.
8. Use the ls (1) or ll (1) command to examine files belonging to a user whose account
information is in the directory. Make sure the owner and group of each file are accurate:
ll /tmp
ls -l
If any owner or group shows up as a number instead of a user or group name, the name
service switch is not functioning properly. Check the file /etc/nsswitch.conf, your
directory, and your profile.
9. If you have configured a multi-domain setup and you want to verify it, execute the following
two steps. Otherwise, continue below with “Step 8: Configure Subsequent Client Systems”
(page 49).
The following steps will verify that LDAP-UX is able to retrieve data from ADS multiple
domains:
48 Installing LDAP-UX Client Services