LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
3. Enter "administrator" as the usename and the user's password for Active Directory Server.
4. Select a task, retrieve the CA certificate or certificate revocation list, in the Microsoft Certificate
Services screen. Then, click the Next button.
5. Click the "Install this CA certificate" link in the retrieve the CA certificate or certificate revocation
list window to allow your LDAP-UX client to trust certificates issued from this Certificate
Authority.
6. Click the Next button in the window box which prompts that you are about to go through
the process of accessing a Certificate Authority. This has serious implications on the security
of future encrytions using Netscape.
7. Click the Next button in the window box which prompts that a CA certifies the identity of
. By accepting the CA, you will allow Netscape Communicator to connect to and receive
information from any site that it certifies without prompting you or warning you.
8. Click the Next button in the window box which prompts that here is the certificate for this
CA. Examine it carefully. The Certificate Fingeprint can be used to verify that this authority
is who they say they are.
9. Check the "access the CA for certifying network sites", " access the CA for certifying e-mail
users" and "access the CA for certifying software developers" checkboxes in the new CA window
screen.
10. Click the Next button in the new CA box screen which prompts that by accepting this CA,
you have told Netscape Communicator to connect to and receive information from any site
that it certifies without warning you or prompting you.
11. Enter a short name to identify this CA in the Name box of new CA window screen.
12. Click the finish button to complete the installation of CA certificate.
13. The Windows 2000 CA certificate will be downloaded to the following two files on your
LDAP-UX Client:
/.netscape/cert7.db
/.netscape/key3.db
14. You can simply copy the /.netscape/cert7.db file to /etc/opt/ldapux/cert7..db and /.netscape/key3.db
file to /etc/opt/ldapux/key3.db.
15. Set the file access permissions for/etc/opt/ldapux/cert7..db and /etc/opt/ldapux/key3.db to be read
only by root as follows:
-r-------- 1 root sys 65536 Jun 14 16:27 /etc/opt/ldapux/cert8.db
-r-------- 1 root sys 32768 Jun 14 16:27 /etc/opt/ldapux/key3.db
Steps to Download the CA Certificate From Windows 2003 CA Server
The following steps show you an example on how to download the Certificate Authority (CA)
certificate from Windows 2003 Certificate Authority Server using Mozilla browser:
1. Log in to your system as root.
2. Use Mozilla browser to connect to your Certificate Authority Server.
The following shows an example of using a link to connect to your Certificate Authority
Server:
http://ADS servername/Certsrv
3. Click on the "Download a CA Certificate" link.
4. Click on "install this CA Certificate" link in the "Download a CA Certificate, Certificate Chain, or
CRL" window screen.
5. Check the "Trust this CA to identify web sites", " Trust this CA to identify email users", and "Trust
this CA to identify software developers" checkboxes in the Downloading Certificate window screen.
Then click OK button.
Configuring the LDAP-UX Client Services with SSL or TLS Support 51