LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
6 Dynamic Group Support
This chapter contains information about how LDAP-UX Client Services supports dynamic groups,
how to set up dynamic groups, and how to enable or disable dynamic group caches. This chapter
includes the following sections:
• “Overview” (page 81)
• “Specifying a Search Filter for a Dynamic Group” (page 81)
• “Multiple Group Attribute Mappings” (page 84)
• “Number of Group Members Returned” (page 87)
• “Number of Groups Returned for a Specific User” (page 87)
• “Performance Impact for Dynamic Groups” (page 88)
• “Configuring Dynamic Group Caches” (page 88)
• “Dynamic Group with Active Directory Server Multiple Domains” (page 89)
Overview
A system administrator can associate some users with a group, and apply security policies (e.g.
access control, password policies) to the group. As a result, all users belong to the group inherit
the specific policies. In LDAP directories, there are two types of groups: static groups and dynamic
groups. A static group defines all users statically. Each user must be added to the group
individually and explicitly. Dynamic groups associate users with a group based on conditions.
The condition can be specified by a search filter. When a user’s data matches with the conditions,
she/he belongs to the dynamic group. Dynamic groups offer the advantage of flexibility, and
allow administrators to easily implement a role-based authorization policy based upon a
company's organizational structure. Users can be added to or removed from a group dynamically
based on his/her most current status (such a value of one or more attributes in the user’s entry).
Since traditional POSIX-style groups are used largely to control file system access rights, dynamic
groups in LDAP-UX offers a new and flexible method for defining file system access policies.
For example, with file system access control lists (ACLs) it is possible to add group access
permission for users that are a member of a particular group (say the "top secret" group). With
dynamic groups, instead of needing to insert each individual member in the group, LDAP-UX
discovers all users in the directory that have the "top secret" attribute associated with their entries.
And when a user's attribute is no longer defined as "top secret", his/her group membership in
the "top secret" is automatically revoked (no need to make manual changes to the group).
LDAP-UX Client Services B.04.10 supports dynamic groups with Windows 2003 and 2003 Release
2 (R2) Active Directory Server.
Specifying a Search Filter for a Dynamic Group
Authorization Manager in Windows 2003 or 2003 R2 allows users to create LDAP query groups.
LDAP query groups define group members by specifying a query (i.e. a search filter) using the
attribute msDS-AzLDAPQuery. LDAP query groups are dynamic groups because group entries
are retrieved dynamically based on a search filter. LDAP-UX supports LDAP query groups if
those groups are POSIX groups (i.e. have PosixGroup objectclass and attributes).
Creating an HP-UX POSIX Dynamic Group
LDAP-UX only supports HP-UX POSIX dynamic groups on Windows Active Directory Server.
Use the following procedures to create an HP-UX POSIX dynamic group supported in Windows
ADS:
Overview 81