LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
6. The Netscape Directory CA certificate will be downloaded to the following two files on your
LDAP-UX Client:
/.mozilla/default/*.slt/cert8.db
/.morilla/default/*.slt/key3.db
7. You can simply copy the /.mozilla/default/*slt/cert8.db file to /etc/opt/ldapux/cert8.db and
/.mozilla/default/*slt/key3.db file to /etc/opt/ldapux/key3.db.
8. Set the file access permissions for /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db to be read
only by root as follows:
-r-------- 1 root sys 65536 Jun 14 16:27 /etc/opt/ldapux/cert8.db
-r-------- 1 root sys 32768 Jun 14 16:27 /etc/opt/ldapux/key3.db
NOTE: For the multiple domain environment, you just need to download the certificate database
files, cert7.db or cert8.db and key3.db, from one domain, no additional action is required.
NOTE: You may use the unsupported /opt/ldapux/contrib/bin/certutil command line tool to create
the certificate database files, cert8.db and key3.db. For detailed command options and their
arguments, refer to Using the Certificate Database Tool available at
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
If your browser does not generate cert8.db and key3.db security database files, you must
export the certificate (preferably the root certificate of the Certificate Authority that signed the
LDAP server's certificate) from your certificate server as a Base64-Encoded certificate and use
the certutil utility to create the cert8.db and key3.db security database files.
Steps to create database files using the certutil utility
The following steps show you an example on how to create the security database files, cert8.db
and key3.db on your client system using the certutil utility:
1. Retrieve the Base64-Encoded certificate from the certificate server and save it.
For example, get the Base64-Encoded certificate from the certificate server and save it as the
/tmp/mynew.cert file. This file looks like:
--------------- BEGIN CERTIFICATE ------------------------------------
-MIICJjCCAY+gAwIBAgIBJDANBgkghkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkga1UECBMCQ2ExEjAQBgNVBAcTCWN1cGVvsG1ubzEPMA0GA1UEChmgAhaUy29T
MRIwEAYDVQQLEw1RR1NMLUxkYXAxHDAaBgNVBAMTE0N1cnRpzmljYXR1IE1hbmFn
4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF
skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig=
--------------- END CERTIFICATE --------------------------------------
2. Use the rm command to remove the old database files, /etc/opt/ldapux/cert8.db and
/etc/opt/ldapux/key3.db:
rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db
3. Use the certutil utility with the -N option to initialize the new database:
/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
4. Add the Certificate Authority (CA) certificate or the LDAP server's certificate to the security
database:
• Use the certutil command to add a CA certificate to the database:
For example, the following command adds the CA certificate, my-ca-cert, to the
security database directory, /etc/opt/ldapux, with the Base64-Encoded certificate
request file, /tmp/mynew.cert:
52 Installing LDAP-UX Client Services