LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Server Administrator's Guide (edition 8)
Table Of Contents
- LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator's Guide
- Table of Contents
- Preface
- 1 Introduction
- 2 Installing LDAP-UX Client Services
- Before You Begin
- Summary of Installing and Configuring LDAP-UX Client Services
- Planning Your Installation
- Installing LDAP-UX Client Services on a Client
- Configuring Active Directory for HP-UX Integration
- Step 1: Install Active Directory
- Step 2: Install SFU 2.0, 3.0 or 3.5 including Server for NIS
- Step 3: Create a Proxy User
- Step 4: Add an HP-UX Client Machine Account to Active Directory
- Step 5: Use ktpass to Create the Keytab File for the HP-UX client machine
- Step 6: Add POSIX Attributes into the Global Catalog
- Importing Name Service Data into Your Directory
- Configuring LDAP-UX Client Services
- Step 1: Run the Setup Program
- Step 2: Install the PAM Kerberos Product
- Step 3: Configure Your HP-UX Machine to Authenticate Using PAM Kerberos
- Step 4: Configure the Name Service Switch (NSS)
- Step 5: Configure the PAM Authorization Service Module (pam_authz)
- Step 6: Configure the Disable Login Flag
- Step 7: Verify LDAP-UX Client Services for Single Domain
- Step 8: Configure Subsequent Client Systems
- Configuring the LDAP-UX Client Services with SSL or TLS Support
- Downloading the Profile Periodically
- 3 Active Directory Multiple Domains
- 4 LDAP-UX Client Services with AutoFS Support
- 5 LDAP Printer Configurator Support
- 6 Dynamic Group Support
- 7 Administering LDAP-UX Client Services
- Using the LDAP-UX Client Daemon
- Integrating with Trusted Mode
- SASL GSSAPI Support
- PAM_AUTHZ Login Authorization
- Policy And Access Rules
- How Login Authorization Works
- PAM_AUTHZ Supports Security Policy Enforcement
- Policy File
- Policy Validator
- Dynamic Variable Support
- Constructing an Access Rule in pam_authz.policy
- Static List Access Rule
- Dynamic Variable Access Rule
- Security Policy Enforcement with Secure Shell (SSH) or r-commands
- Adding Additional Domain Controllers
- Adding Users, Groups, and Hosts
- User and Group Management
- Displaying the Proxy User's Distinguished Name
- Verifying the Proxy User
- Creating a New Proxy User
- Displaying the Current Profile
- Creating a New Profile
- Modifying a Profile
- Changing Which Profile a Client is Using
- Creating an /etc/krb5.keytab File
- Considering Performance Impacts
- Client Daemon Performance
- Troubleshooting
- 8 Modifying User Information
- 9 Mozilla LDAP C SDK
- A Configuration Worksheet
- B LDAP-UX Client Services Object Classes
- C Command, Tool, Schema Extension Utility, and Migration Script Reference
- LDAP-UX Client Services Components
- Client Management Tools
- LDAP User and Group Management Tools
- Environment Variables
- Return Value Formats
- Common Return Codes
- The ldapuglist Tool
- The ldapugadd Tool
- The ldapugmod Tool
- The ldapugdel Tool
- The ldapcfinfo Tool
- LDAP Directory Tools
- Schema Extension Utility
- Name Service Migration Scripts
- Unsupported Contributed Tools and Scripts
- D Sample PAM Configuration File
- E Sample /etc/krb5.conf File
- F Sample /etc/pam.conf File for HP-UX 11i v1 Trusted Mode
- G Sample /etc/pam.conf File for HP-UX 11i v2 Trusted Mode
- H Sample PAM Configuration File for Security Policy Enforcement
- Glossary
- Index
1. Use Authorization Manager to create dynamic groups. See the “Step 1: Creating a Dynamic
Group (LDAP Query Group)” section for details.
2. Use ADSI Edit to add the POSIX group ID to the dynamic group entry created in step 1. See
the “Step 2: Add POSIX Attributes to a Dynamic Group” section for details.
3. Configure the proxy user the read permissions to search dynamic groups in Windows ADS.
See the “Step 3: Setting Read Permissions for the Proxy user” section for details.
Step 1: Creating a Dynamic Group ( a LDAP Query Group)
You can use Authorization Manager to create dynamic groups (LDAP query groups) for your
applications. Membership in an LDAP query group is determined using an LDAP query on a
given user object. For detailed information on how to create LDAP query groups using
Authorization Manager, refer to Dynamic Groups in Windows Server 2003 Authorization Manager
available at the following web site:
http://msdn2.microsoft.com/en-us/library/ms952382.aspx
An Example
The following shows an example of a dynamic group entry (LDAP query group) created using
Authorization Manager:
dn: CN=group1,CN=AzGroupObjectContainer-dyngroup,CN=dyngroup,
DC=hp,DC=com
objectClass: top
objectClass: group
cn: group1
description: my dynamic group
distinguishedName: CN=group1,CN=AzGroupObjectContainer-dyngroup,
CN=dyngroup,DC=hp,DC=com
instanceType: 4
whenCreated: 20060313181428.0Z
whenChanged: 20060313182629.0Z
uSNCreated: 16588
uSNChanged: 16597
name: group1
objectGUID:: 2qO9YxkqAUuwCmkMJ371DA==
objectSid:: AQUAAAAAAAUVAAAAuEKpalCWUfgTN3lpVwQAAA==
sAMAccountName: $N21000-OA67EGECFDSP
sAMAccountType: 1073741825
groupType: 32
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hp,DC=com
msDS-AzLDAPQuery: (cn=p*)
Step 2: Adding POSIX Attributes to a Dynamic Group
To create an HP-UX POSIX dynamic group, you must use ADSI Edit to add one of the following
attributes with POSIX group ID information to the dynamic group entry created in Step 1: Creating
a Dynamic Group.
• msSFU30GidNumber attribute for Windows 2003 ADS
• GidNumber attribute for Windows 2003 R2 ADS
An Example for Window 2003 ADS
For Windows 2003 ADS, the following shows an example of an HP-UX POSIX dynamic group
entry with msSFU30GidNumber information added to the above dynamic group entry:
dn: CN=group1,CN=AzGroupObjectContainer-dyngroup,CN=dyngroup,DC=hp,DC=com
objectClass: top
objectClass: group
cn: group1
82 Dynamic Group Support