LDAP-UX Client Services B.05.00 Administrator's Guide HP-UX 11i v2 and v3 HP Part Number: J4269-90086 Published: June 2010 Edition: 1.
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 Introduction...................................................................................................................15 1.1 Overview of LDAP-UX Client Services...........................................................................................15 1.1.1 How LDAP-UX Client Services works....................................................................................16 2 Installing and configuring LDAP-UX Client Services.................................................
2.4.6.3 SSL/TLS ciphers...............................................................................................................82 2.4.7 Configuring LDAP-UX Client Services with NIS publickey support.....................................84 2.4.7.1 HP-UX Enhanced Publickey-LDAP software requirement............................................84 2.4.7.2 Extending the NIS publickey schema into your directory..............................................84 2.4.7.3 Admin Proxy user...........................
3.1.1.1 Printer services..............................................................................................................115 3.1.1.2 Printing protocol...........................................................................................................115 3.1.1.3 LP printer types.............................................................................................................115 3.2 How the LDAP printer configurator works..........................................................
5.3.3 PAM_AUTHZ supports security policy enforcement...........................................................142 5.3.3.1 Authentication using LDAP..........................................................................................142 5.3.3.2 Authentication with secure shell (ssh) and r-commands..............................................142 5.3.4 Policy file...............................................................................................................................143 5.3.
5.9.1 Example.................................................................................................................................182 5.10 Displaying the current profile.....................................................................................................182 5.11 Creating a new configuration profile..........................................................................................183 5.12 Modifying a configuration profile.....................................................
7.2.2.1 Syntax............................................................................................................................214 7.2.2.2 Examples.......................................................................................................................214 7.2.3 create_profile_schema tool....................................................................................................215 7.2.3.1 Syntax.................................................................................
7.3.6.5 Specific return codes for ldapugmod............................................................................258 7.3.6.6 Security considerations.................................................................................................259 7.3.6.7 Limitations.....................................................................................................................260 7.3.6.8 Examples.....................................................................................................
7.4.3.1 Syntax............................................................................................................................295 7.4.3.2 ldapsearch options........................................................................................................295 7.4.4 ldapmodify............................................................................................................................296 7.4.4.1 Syntax..............................................................................
7.7.1 beq (search) tool.....................................................................................................................330 7.7.1.1 Syntax............................................................................................................................330 7.7.1.2 Examples.......................................................................................................................330 7.7.2 certutil (certificate database) tool.............................................
List of Figures 1-1 1-2 1-3 1-4 2-1 2-2 2-3 3-1 5-1 6-1 6-2 8-1 8-2 8-3 12 A simplified NIS environment......................................................................................................16 A simplified LDAP-UX Client Services environment...................................................................16 ldapclientd and the LDAP-UX Client Services environment..................................................17 Local start-up file and the configuration profile...........................
List of Tables 1 1-1 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 4-1 5-1 5-2 5-3 5-4 7-1 7-2 7-3 7-4 7-5 7-6 7-7 7-8 7-9 7-10 7-11 7-12 7-13 7-14 9-1 9-2 9-3 A-1 A-2 Publishing history details................................................................................................................2 Examples of commands and subsystems that use PAM and NSS................................................17 New attributes................................................................................................
List of Examples 2-1 2-2 2-3 2-4 2-5 2-6 2-7 2-8 6-1 6-2 14 Sample host entry..........................................................................................................................30 Sample user entry..........................................................................................................................30 Sample group entry.......................................................................................................................
1 Introduction This document describes how to install and configure the LDAP-UX Client Services product on HP-UX platforms. This document is intended for system and network administrators responsible for installing, configuring, and managing the LDAP-UX Client Services. Administrators are expected to have knowledge of the LDAP-UX Client Services Integration product. NOTE: The document printing date and part number indicate the document's current edition.
Figure 1-1 A simplified NIS environment NIS master server Map transfers NIS slave server NIS slave server NIS Client Requests NIS client NIS client NIS client LDAP-UX Client Services improves on this configuration information sharing. HP-UX account and configuration information is stored in an LDAP directory, not on the local client system. Client systems retrieve this shared configuration information across the network from the LDAP directory, as shown below.
www.hp.com/go/hpux-networking-docs These extensible mechanisms allow new authentication methods and new name services to be installed and used without changing the underlying HP-UX commands. In addition, by supporting the PAM architecture, the HP-UX client is fully integrated into the LDAP environment. The PAM_LDAP library allows the HP-UX system to use the LDAP directory as a trusted server for authentication as well as for centralized password and account policy management.
Table 1-1 Examples of commands and subsystems that use PAM and NSS (continued) Commands that use NSS Commands that use PAM and NSS who whoami 1 2 These commands enumerate the entire passwd or group database, which may reduce network and directory server performance for large databases. nsquery is a contributed tool included with the ONC/NFS product. For more information, see the nsquery(1) manpage.
Figure 1-4 Local start-up file and the configuration profile LDAP Directory Configuration profile The shared configuration profile is stored in the directory and downloaded to all LDAP-UX clients. The start-up file points to the configuration profile in the directory. Start-up file Configuration profile LDAP-UX client 1.
2 Installing and configuring LDAP-UX Client Services This chapter describes the decisions you need to make and the steps to install the HP-UX Directory Server or Redhat Directory Server and to configure LDAP-UX Client Services. 2.1 Before you begin: general installation and configuration considerations Consider the following as you plan your installation and configuration.
• For details on how to integrate LDAP-UX Client Services with the Windows Server 2003 R2/2008 Active Directory, see the LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide at: http://www.hp.com/go/hpux-security-docs Click HP-UX LDAP-UX Integration Software. • For illustrative purposes, the examples use a base DN of o=hp.com. 2.2 Choosing the method of installation: guided or customized LDAP-UX Client Services releases prior to B.05.
• • • attribute mapping to specifically match the schema model defined in the existing directory server. You want to install the HP-UX host into multiple-domain Windows environment. Guided installation only supports installation into a single windows domain. You cannot modify the directory server’s schema. In this case, you can deploy using a local-only profile. The local-only profile can also be useful for small deployments and testing purposes. For more information, see Section 2.4.5.1 (page 69).
directory server to suit managing an LDAP-UX domain. For more information about the LDAP-UX domain, see Section 2.3.2 (page 27). In this scenario, the guided installation: — Configures the directory server with an LDAP-UX schema used for managing users, groups, and hosts. This includes definition of the database indexes based on that schema. — Defines the initial framework for the directory information tree. — Defines access control rights for directory server and LDAP-UX domain administration.
Instructions for installing LDAP-UX for the first time in an existing directory server environment are described in “Guided installation steps: Existing Directory Server Installation mode” (page 50). • Installing LDAP-UX into an existing LDAP-UX domain (Existing LDAP-UX Domain Installation mode): In this scenario, LDAP-UX has already been configured in the environment. You can then use the guided installation to join the HP-UX host to an existing LDAP-UX domain or to a Windows ADS domain.
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 26 searching once it makes a successful connection. If a directory server cannot be found by DNS, you will be prompted for the host name and port number for an existing directory server in your environment or asked if you wish to create a new directory server instance on the local host. If you choose to create a new directory server instance on the local host, autosetup will create an HP-UX Directory Server instance on the local machine.
A sample of the ldapclientd.conf file is included in Section E.4 (page 363). 14. Starts the LDAP-UX client daemon (ldapclientd) and the central configuration service daemon (ldapconfd). 2.3.2 Principles of the LDAP-UX domain When used for installing LDAP-UX in a non-Windows environment for the first time, the guided installation defines the management framework for, and actually creates, an LDAP-UX domain.
• • Information model: Defines the types of objects managed in the directory server and the attributes and object classes that represent them, as described in Section 2.3.2.2 (page 29).
• installation configures LDAP-UX, it initializes this subtree with the local host’s information. Any additional hosts that use the guided installation to configure LDAP-UX will be added under this subtree (joined to the LDAP-UX domain). ou=Configuration,ou=Services: Stores centrally managed configuration information for LDAP-enabled applications, or information about services available in the domain. The ldapentry tool can be used to manage items under this subtree.
Example 2-1 Sample host entry dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com objectClass: top objectClass: device objectClass: ldapPublicKey objectClass: iphost objectClass: domainEntity sshPublicKey: ssh-rsa AAAAB3Nza... sshPublicKey: ssh-dss AAAAB3Nza... sshPublicKey: 1024 35 140898... owner: uid=domadmin,ou=people,dc=mydomain,dc=example,dc=com ipHostNumber: 16.92.96.
objectClass: configurableService cn: cup-ldapuxProfile preferredServerList: 192.168.10.
Table 2-1 New attributes Attribute name Description and use entityModel Describes the model associated with the object. The ldaphostmgr tool (with the -I option specified) uses this attribute to record the hardware model of the HP-UX host. entityVersion Represents the version of the associated entity. The ldaphostmgr tool (with the -I option specified) uses this attribute to record the version of the HP-UX OS on a host. entityUsage Describes the object’s designated usage.
organization wishes to register printers in the directory server, and the organization has a policy that “Top Secret” documents may only be printed on a restricted set of printers. The organization could have all printers that are eligible for printing “Top Secret” documents created with the entitySecurityLevel attribute value set to “Top Secret”. The conventions used with the attributes in the preceding table, such as defining acceptable value sets, are entirely up to the policies of the organization.
This is known as the proxy user. The customized installation requires that you create the proxy user manually. The guided installation automatically creates an entry in the directory server. This user (the host entry) is created with a randomly-generated password. The information is recorded in the /etc/opt/ldapux/pcred file. 2.3.2.3.
• Owners access control rights: LDAP-UX 5.0 simplifies demarcating ownership of items in the directory server. Owners are considered any users or members of a group that have a DN in the owner attribute of the target entry. Currently, only one type of owner exists: owners of hosts. The rights of these owners are granted with the following ACI: dn: ou=Hosts,dc=mydomain,dc=example,dc=com aci: (targetattr = "sshPublicKey || ipHostNumber")(version 3.
# # No Bundle(s) on hpt079:/tmp/ca-cup.hp.com.depot # Product(s): # LDAPUX-MYDOMAIN-CA A.01.00 LDAP-UX mydomain.example.com domain CA Certificate NOTE: SSL/TLS protocols support a variety of different cryptographic algorithms (ciphers) for use in authentication operations between server and client, certificate transmissions, and session key establishment. If a cipher is found to be flawed and subject to attack, administrators of HP-UX and the directory server would need to know about their vulnerability.
joins an HP-UX OS instance into an existing LDAP-UX domain. The guided installation can provision information about hosts in the domain into the directory server. The LDAP-UX domain serves as a focal point for managing hosts, securing data, and in non-Windows AD environments, for simplifying management of ssh host keys. The guided installation uses the LDAP-UX domain name to define the suffix of the directory tree. For example, if the local host is a member of the AccountingDept.acme.
• Administration domain (Admin domain) — for HP-UX Directory Server, a container entry for server groups, with each server group containing directory server instances that are managed by the same Configuration Directory Server. This domain is administered by the Configuration Administrator. Using the hpds-idm-console, the Configuration Administrator can view and manage all the HP-UX directory server instances in this domain.
installation. In some cases, you can run the script in silent mode, which requires no user interaction during the installation. To run the script interactively, simply enter the autosetup command as is. The script prompts you for the minimal information required. To reduce user interaction during the installation, you can pass parameters by specifying options in the command line.
-b search_base Specifies the base DN for which search operations should be performed for an existing LDAP-UX domain, or the base DN used when creating a new LDAP-UX domain; for example, dc=lab,dc=acme,dc=com. Typically, set the base DN to the directory's suffix value. Because the directory suffix is equal to the root, or topmost, entry in the directory, this causes all searches to begin from the directory's root entry.
of prompting for input for parameters such as the Configuration Administrator or Domain Administrator, it uses the default values and any values specified with command-line options or environment variables. If values are not given for any required parameters that do not have defaults, silent mode will abort. For this reason, silent mode is not valid when installing LDAP-UX on a host for the first time (creating a new directory server requires user intervention).
on the command line. Only used in New Directory Server Installation mode (installing LDAP-UX for the first time). DS_ADMIN_SERVER Sets the host name (or IP address), and optionally the port number, of the directory server's Administration Server, the server that manages the directory server administration domain that the new directory server will join. Only used in New Directory Server Installation mode (installing LDAP-UX for the first time). The default port is 389.
command option exists for passing this name on the command line. This variable only applies for LDAP-UX installations when creating a new directory server environment. If specified with an LDAP-UX Windows Server AD installation, this variable is ignored. LDAP_DOMAIN_ADM_PASSWD Sets the password for the LDAP-UX Domain Administrator. No command option exists for passing this password on the command line. This variable only applies for LDAP-UX installations when creating a new directory server environment.
Example 2-6 autosetup: passing two parameters directly in the command line along with a password file # autosetup -D "cn=Directory Manager" -j /tmp/jfile -x document.hp.com This command specifies the Directory Manager and a file that includes the password required for the Directory Manager of the directory server being created. The command also specifies the LDAP-UX domain name. When you invoke autosetup, you will not be prompted for these parameters.
NOTE: If you are planning a first-time deployment of managing user and group data in the directory server, HP suggests that you devise a strategy to avoid UID number and GID number overlap. Most likely, you will need to continue managing some accounts that are local to the hosts in the LDAP-UX domain. Often the root user, and sometimes application accounts (such as www for the httpd process) remain managed in the local /etc/passwd file.
You cannot create an actual Directory Server entry that uses the same distinguished name (DN) as the Directory Manager DN. For more information about the Directory Manager and other administrators, see Section 2.3.4 (page 38). 4. The script asks whether you want to manage the new directory server in an existing HP-UX Directory Server administration domain (Admin domain) or whether you want to create a new directory server administration domain.
An LDAP-UX domain administrator is used to manage all data within the LDAP-UX domain. The domain administrator has fewer privileges than the Directory Manager or Configuration Administrator. This account will be the primary account used to manage data within the directory server, or its privileges can later be distributed to other users. This account should typically be associated with an individual and may be named as such.
LDAP-UX was successfully configured. As indicated in the guided installation log, the guided installation configures LDAP-UX and starts the LDAP-UX daemon (ldapclientd) and the central configuration service (ldapconfd). For more information about the files configured by autosetup, see “Samples of LDAP-UX configuration files created or modified by autosetup” (page 359). For more information about the central configuration service, see Chapter 6 (page 193).
2.3.6.2 Automating New Directory Server Installation mode To install LDAP-UX for the first time on a host and create a new directory server, you must run the script interactively to indicate at minimum, when prompted, that you want a new directory server created. You can use command-line options and environment variables to completely automate the rest of the procedure. In the example provided in this section, the following environmental variables are defined for all the parameters needing input.
============================================================================ Setting up the LDAP-UX client using the newly created directory server. Loading CA certificate from directory server to local host ... done. * Extending schemas ... done. No LDAP-UX Configuration Profile was found. Creating a new one. * * * * * * * Downloading profile from DS ... done. Configuring ldapux_client.conf ... done. Provisioning LDAP-UX Client information into the Directory Server ... done. Setting up proxy user ...
NOTE: When configuring and setting up LDAP-UX, you will likely be prompted for credentials of an administrator. If you are asked to enter the credentials (password) of a user, make sure that the connection between your client and the HP-UX system (where you are running autosetup) is secured and not subject to network eavesdropping. One option to protect such communication may be to use the ssh protocol when connecting to the HP-UX host being configured. 2.3.7.
NOTE: Unless you pre-install a CA or server certificate for the directory server, the autosetup tool has no means of validating the identity of the directory server. The tool can download and permanently install the CA or server certificate for the server; however, the server could be an impostor. If autosetup created the specified server, it created a depot file on that server's host that contains the CA certificate for that server.
LDAP-UX was successfully configured. NOTE: For more information about the configuration files created or modified by autosetup, see “Samples of LDAP-UX configuration files created or modified by autosetup” (page 359). You can display details about the LDAP-UX Client Services configuration by using the /opt/ldapux/config/display_profile_cache command. For more information about the use of this command, see Section 7.2.4 (page 215). 2.3.7.
NOTE: This section assumes you are installing LDAP-UX on a host on which LDAP-UX is not already installed. If you attempt to run autosetup on a host on which LDAP-UX (ldapclientd) is already running, the procedure aborts. If the LDAP-UX is installed on the host but not running, the procedure proceeds. However, if a previous LDAP-UX configuration profile is found on the system, the procedure warns you that proceeding will overwrite the file and asks if you want to proceed.
a Windows domain name, or press Return to create a new directory server on this host: acct1053 Return NOTE: Unless you pre-install a CA or server certificate for the directory server, the autosetup tool has no means of validating the identity of the remote directory server (acct1053). The tool can download and permanently install the CA or server certificate for the server; however, the server might be an impostor.
NOTE: For more information about the configuration files created or modified by autosetup, see “Samples of LDAP-UX configuration files created or modified by autosetup” (page 359). You can display details about the LDAP-UX Client Services configuration by using the /opt/ldapux/config/display_profile_cache command. For more information about the use of this command, see Section 7.2.4 (page 215). 2.3.8.
2.4.1 Summary of customized installation and configuration steps The following are the steps you take when custom installing and configuring an LDAP-UX Client Services environment: • • • • • • • • • Plan your installation (see Section 2.4.2 (page 59)). Install LDAP-UX Client Services on each client system (see Section 2.4.3 (page 64)). Install and configure an LDAP directory, if not already done (see Section 2.4.4 (page 65)).
— — — — 58 Control user access to the system, using any of several methods mentioned in “Controlling user access to the system through LDAP” (page 106) Configure subsequent client systems (see the shortcuts mentioned in “Configuring subsequent client systems” (page 112)) Downloading the profile periodically (see “Downloading the profile periodically” (page 113)) Enabling the use of -r commands with PAM_LDAP (see “Using the r-command for PAM_LDAP” (page 113)) Installing and configuring LDAP-UX Client Serv
2.4.2 Planning for your customized installation and configuration Before beginning your installation, you should plan how you will set up and verify your LDAP directory and your LDAP-UX Client Services environment before putting them into production. Consider the following questions. Record your decisions and other information that you will need later in “Configuration worksheet” (page 347).
has been made through the addition of a new caching daemon that caches passwd, group, and X.500 group membership information retrieved from an LDAP server. This significantly reduces LDAP-UX's response time to applications. To improve performance further, the daemon re-uses connections for LDAP queries and maintains multiple connections to an LDAP server. The migration scripts provided with LDAP-UX Client Services can build and populate a new directory subtree for your user and group data.
good idea to have as few profiles as necessary. To see what is in a profile and help you decide how many different profiles you need, look at the posixNamingProfile object class in “LDAP-UX Client Services object classes” (page 349). If you are familiar with NIS, one possibility is to create a separate profile for each NIS domain. • Where in your directory will you put your profile? The profile contains directory access information.
you wish to use the Pam Authorization Service module (PAM_AUTHZ) for user access control? PAM provides authentication services. You can configure PAM to use LDAP, Kerberos, or other traditional UNIX locations (for example files, NIS, NIS+) as controlled by NSS. For more information about PAM, see the pam(3) and pam.conf(4) manpages, and the Managing Systems and Workgroups: A Guide for HP-UX System Administrators document at the following location: www.hp.
IMPORTANT: If you attempt to use this new feature, in the ldapclientd.conf file, the start configuration parameter of the printer services section must be set to yes. If the start option is enabled, the printer configurator will start when ldapclientd is initialized. By default, the start parameter is enabled. • Do you want to import the NIS publickey schema into your LDAP directory if you choose to store and manage NIS publickeys in the LDAP directory.
/etc/passwd and /etc/netgroup files. If the /etc/opt/ldapux/pam_authz.policy file exists in the system, PAM_AUTHZ uses the access rules defined in the policy file to determine who can log in to the system. For detailed information on this feature and how to configure the /etc/opt/ldapux/ pam_authz.policy file, see Section 5.3 (page 140) or the pam_authz(5) manpage. • Do you want to configure the /etc/opt/ldaux/pam_authz.
2.4.4 Configuring your directory This section describes how to configure your directory to work with LDAP-UX Client Services. Examples are given for the HP-UX Directory Server. For information about supported directories, see the LDAP-UX Integration Release Notes . If you have a different directory, see the documentation for your directory for details on how to configure it. For more information, see Preparing Your LDAP Directory for HP-UX Integration at: http://www.hp.
at ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify entries below ou=groups,ou=unix,o=hp.com: aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, o=hp.com");) 4. Grant read access of all attributes of the posix schema. Ensure all users have read access to the posix attributes.
• • • • gidnumber uid ipserviceport iphostnumber To index these entries with HP-UX Directory Server, go to the Directory Server Console's Configuration tab, then the Indexes tab, and click on the Add Attributes button. 10. Determine if you need to support enumeration requests. If you do, increase the Look-Through limit, and the Size limitin the Directory Server. Enumeration requests are directory queries that request all of a database, for example all users or all groups.
2.4.5 Configuring the LDAP-UX Client Services Below is a summary of how to configure LDAP-UX Client Services with HP-UX Directory Server. For a default configuration, see Section 2.4.5.1 (page 69). For a custom configuration, see Section 2.4.5.2 (page 73) for more information. NOTE: The setup program has only been certified with HP-UX Directory Server version 8.1, Red Hat Directory Server 8.0, Windows Server 2003 R2 Active Directory Server, and Windows 2008 Active Directory Server.
IMPORTANT: Starting with LDAP-UX Client Services B.03.20, the client daemon, /opt/ ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or earlier, running the client daemon, ldapclientd, is optional. NOTE: The LDAP printer configurator can support any Directory Servers that support the LDAP printer schema based on RFC 3712.
3. 4. 5. Enter either the host name or IP address of the directory server where your profile exists, or where you want to create a new profile from “Configuration worksheet” (page 347). Enter the port number of the previously specified directory server that you want to store the profile from “Configuration worksheet” (page 347). The default port number is 389.
Select authentication method for users to bind/authenticate to the server 1. SIMPLE 2. SASL DIGEST-MD5 To accept the default shown in brackets, press the Return key. Authentication method: [1]: Press the return key if you choose to accept SIMPLE authentication method, type 2 if you choose SASL DIGEST-MD5 authentication method for the following prompt: Authentication method: [1]: 13.
18. Configure the Name Service Switch (NSS). Save a copy of the file /etc/nsswitch.conf and edit the original to specify the LDAP name service and other name services you want to use. See /etc/nsswitch.ldap for a sample. You may be able to just copy /etc/nsswitch.ldap to /etc/nsswitch.conf. See nsswitch.conf(4) for more information. 19. Optionally, configure the Pam Authorization Service module (PAM_AUTHZ). LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/ pam_authz.conf.
2.4.5.2 Custom configuration Running the setup program for a quick configuration, as described above, configures your client using default values where possible. If you would like to customize these parameters, proceed as follows. If you want to use SSL or TLS, you must perform the following tasks before you run the custom configuration. See Section 2.4.6 (page 79) for details. • Ensure that you have installed the certificate database files, cert8.db and key3.db, on your client system.
5. 6. Select the client binding you want from “Configuration worksheet” (page 347). This determines the identity that client systems use when binding to the directory to search for user and group information. If you configured a proxy user, enter the DN and password of your proxy user, from “Configuration worksheet” (page 347). If you want to use the SASL/DIGEST-MD5 authentication method, you need to configure a proxy user with its credential level.
can have up to three different search descriptors. A custom search descriptor consists of three parts: a search base DN, scope, and filter. The client uses the search descriptors in order until it finds what it is looking for. NOTE: If your search filters overlap, enumeration requests will result in duplicate entries being returned.
2.4.5.3 Remapping attributes for services This section describes detailed procedures on how to perform attribute mappings for automount, dynamic group and X.500 group membership services. Attribute mappings for automount service By default, LDAP-UX Client Services uses the RFC 2307-bis automount schema. The nisObject automount schema can also be used if configured via attribute mappings. Use the following steps if you want to remap the automount attributes to the nisObject automount attributes: 1.
8. Next, type the attribute nisMapEntry you want to map to the automountInformation attribute and press the return key: automountInformation -> nisMapEntry 9. Next, it will take you to the screen which shows you the following information: Current Automount attribute names: 1.automountMapName ->[nisMapname] 2.automountKey -> [cn] 3.automountInformation -> [nisMapEntry] Specify the attribute you want to map.
Attribute mappings for X.500 group membership support If you want to configure X.500 group membership support, you should remap the group member attribute to member or uniquemember instead of using the default attribute, memberuid. Perform the following steps for attribute mappings to set up X.500 group membership: 1. Type yes for the following question: Do you want to remap any of the startdard RFC 2307 attributes? [yes]: yes 2.
2.4.6 Configuring the LDAP-UX Client Services with SSL or TLS support The LDAP-UX Client Services supports either SSL (Secure Socket Layer) or TLS (Transport Layer Security) to secure communication between LDAP clients and the LDAP directory server. With SSL, an encrypted session is established on an encrypted port, 636.
LDAP-UX Client and configure your LDAP directory server to support SSL or TLS before you run the setup program. NOTE: If you already have the certificate database files cert8.db and key3.db on your client for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/ cert8.db that points to cert8.db, and /etc/opt/ldapux/key3.db that points to key3.db. 2.4.6.2.
# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "server cert" -t “P,,” -i servercert.der NOTE: The required –n parameter gives the certificate a nickname in the certificate database files. The nickname value is arbitrary. If you plan to connect to multiple LDAP servers that were issued SSL certificates by different certificate authorities, you should use the nickname to help differentiate between the different CA certificates.
2. Select and execute one of the following steps: • Either LDAP-UX must not be used for host-name resolution by removing “ldap” from the “hosts” service in the /etc/nsswitch.conf file. • Or the host name and IP address must be provided by some other name resolution service, such as “files” or “dns”, and that service must appear before “ldap” in the /etc/nsswitch.conf file for the “hosts” service. 2.4.6.2.2.
and servers may support different cipher suites, or sets of ciphers, depending on a variety of factors. The ciphers currently supported by LDAP-UX are listed in Table 2-5 (page 83).
2.4.7 Configuring LDAP-UX Client Services with NIS publickey support LDAP-UX Client Services supports discovery and management of NIS publickeys in an LDAP directory. Both public and secret keys, used by the Secure RPC API can be stored in user and host entries in an LDAP directory server, using thenisKeyObject objectclass. Support for discovery of keys in an LDAP directory server is provided through the getpublickey() and getsecretkey() APIs.
must re-run the setup program to extend the publickey schema into your LDAP directory. You do not need to re-run the setup program for the subsequent client systems. For detailed information on how to run the setup program to extend the publickey schema into an LDAP directory, see Section 2.4.5.1 (page 69). 2.4.7.3 Admin Proxy user A special type of proxy user, known as an Admin Proxy has been added to LDAP-UX to support management of NIS publickey information in an LDAP directory server.
aci:(targetattr ="objectclass||nispublickey||nissecretkey") (version 3.
2.4.7.4.2 Setting ACI for a user With the HP-UX Directory Server, you need to set up an ACI which gives a user permission to change his own nissecretkey and nispublickey attributes. To set up ACI for a user, use the Directory Server Console or ldapmodify. An Example The following ACI gives a user permission to change his own nissecretkey and nispublickey attributes for user keys: dn:ou=People,dc=org,dc=hp,dc=com aci:(targetattr ="nissecretkey||nispublickey")(version 3.
can find the profile DN from PROFILE_ENTRY_DN in /etc/opt/ldapux/ ldapux_client.conf after you finish running the setup program. The following example edits the profile entry "cn=ldapuxprofile,dc=org,dc=hp,dc=com": For example: cd /opt/ldapux/bin ./ldapentry -m "cn=ldapuxprofile,dc=org,dc=hp,dc=com" After you enter the prompts for "Directory login:" and "password:", ldapentry will bring up an editor window with the profile entry. You can add the serviceAuthenticationMethod attribute.
serv-auth: keyserv:sasl/digest-md5 auth opts: username: uid realm: For subsequent LDAP-UX client systems that share the same profile configuration, use the following steps to download and activate the profile: 1. 2. Log in as root. Go to /opt/ldapux/config: cd /opt/ldapux/config 3. Use /opt/ldapux/config/get_profile_entry to download the modified LDIF profile: ./get_profile_entry -s nss 4.
2.5.1 Importing name service data into your directory To import your name service data into your LDAP Directory, consider the following: • • If you have already imported data into your directory with the NIS/LDAP Gateway product, LDAP-UX Client Services can use that data and you can skip to Section 2.4.5 (page 68). If you are using NIS, the migration scripts take your NIS maps and generate LDIF files. These scripts can then import the LDIF files into your directory, creating new entries in the directory.
dn: cn=DomainAdmins,ou=Groups,dc=mydomain,dc=example,dc=com cn: Domain Administrators cn: DomainAdmins gidNumber: 1900 memberUid: domadmin Use the ldapugmod tool to change numbers as needed. In the following example, the ldapugmod tool changes the GID number of DomainAdmins from 1900 to 1999.
2.5.2 Verifying the LDAP-UX Client Services This section describes some simple ways you can verify the installation and configuration of your LDAP-UX Client Services. You may need to do more elaborate and detailed testing, especially if you have a large environment. If any of the following tests fail, see Section 5.18 (page 189). 1.
./beq -k n -s pwd -l /usr/lib/libnss_ldap.1 iuser1 nss_status........ NSS_SUCCESS pw_name...........(iuser1) pw_passwd.........(*) pw_uid............(101) pw_gid............(21) pw_age............() pw_comment........() pw_gecos..........(gecos data in files) pw_dir............(/home/iuser1) pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) Use the following beq command if you are running 64-bit applications on an HP-UX 11i v2 or v3 HP Integrity server: .
1. Create a valid posix user and group. Add this user as a member of this group using the attribute "member" instead of "memberuid". Here is an example ldif file specifying xuser2 as a member of the group xgrpup1: #cat example_ids.ldif dn: cn=xgroup1,ou=Groups,o=hp.com] objectClass: posixGroup objectClass: groupofnames objectClass: top cn: xgroup1 userPassword: {crypt}* gidNumber: 999 member: uid=xuser2,ou=People,o=hp.com dn: uid=xuser2,ou=People,o=hp.
2.5.3 Enabling AutoFS support AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them. If an automounted file system has been idle for a period of time, AutoFS unmounts it. AutoFS uses name services such as files, NIS, or NIS+ to store and manage AutoFS maps. LDAP-UX Client Services supports the automount service under the AutoFS subsystem. This feature allows users to store AutoFS maps in an LDAP directory server. 2.5.3.
attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.
nisMapName: auto_direct cn: /mnt_direct/test1 nisMapEntry:hostA:/tmp dn:cn=/mnt_direct/test2, nisMapname=auto_direct, dc=nishpind objectClass: top objectClass: nisObject nisMapName: auto_direct cn: /mnt_direct/test2 nisMapEntry:hostB:/tmp 2.5.3.1.2.2 Limitations The nisObject automount schema contains three attributes, cn, nisMapEntry and nisMapName. cn is an attribute that ignores case-matching.
If you want to perform attribute mappings or search filter changes by using the Custom Configuration, ensure that you do not accept the remaining default configuration parameters in step 4 of the Custom Configuration. NOTE: You can use the nisObject automount schema without attribute mappings and search filter changes if only the nisObject automount schema exists in the LDAP directory. 2.5.3.3 Configuring NSS Configure the Name Service Switch (NSS) to enable the LDAP support for AutoFS.
domain name is not specified, LDAP-UX uses the value of the NIS_DOMAIN parameter configured in the /etc/rc.conf.d/namesvrs file. Examples: The following command sets the fully qualified name of the NIS+ domain to "cup.hp.com": export DOM_ENV="cup.hp.com" The following command sets the fully qualified name of the NIS domain to "india.hp.com": export NIS_DOMAINNAME="india.hp.com" The following command sets the base DN to "dc=cup, dc=hp, dc=com": export LDAP_BASEDN="dc=cup, dc=hp, dc=com" 2.5.3.4.
objectClass: automount automountInformation:hostB:/tmp automountKey:/mnt_direct/lab2 You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/ auto_direct.ldif that you just created above into the LDAP directory. For example, the following command imports the /tmp/auto_direct.ldif file to the LDAP base DN "dc=nishpind" in the LDAP directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager" -w -f /tmp/auto_direct.
2.5.3.4.4 The migrate_nis_automount.pl script This script, found in /opt/ldapux/migrate, migrates the AutoFS maps from the NIS server to LDIF. 2.5.3.4.4.1 Syntax scriptnameinputfileoutputfile 2.5.3.4.4.2 Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the /tmp/auto_indirect.ldif file: export LDAP_BASEDN="dc=nisserv1" export NIS_DOMAINNAME="cup.hp.com" migrate_nis_automount.pl /etc/auto_indirect /tmp/auto_indirect.
2.5.3.4.5 The migrate_nisp_autofs.pl script This script, found in /opt/ldapux/migrate/nisplusmigration, migrates the AutoFS maps from the NIS+ server to the nisp_automap.ldif file. 2.5.3.4.5.1 Syntax scriptnameinputfile 2.5.3.4.5.2 Examples The following commands migrate the AutoFS map /etc/auto_indirect to LDIF and place the results in the nisp_automap.ldif file: export LDAP_BASEDN="dc=nishpbnd" export DOM_ENV ="cup.hp.com" migrate_nisp_autofs.
NOTE: For information about patches that need to be installed to support offline credential caching, see the LDAP-UX Integration B.05.00 Release Notes. 2.5.4.1 How the offline cache works To support this feature, you can configure LDAP-UX to maintain a secondary (offline) long-term cache that stores previously-discovered user account and group information, including authentication passwords that are hashed using the salted Secure Hash Algorithm (SHA-512).
# value should be at least twice as large as the combined size of all those # groups. #longterm_cache_size=50000000 # # Should long term caching support enumeration of users and groups. If # getpwent() and getgrent() are not required, this can be disabled. #longterm_enum_enable=no # # How frequently should the HP-UX client go to the directory server to refresh # the enumeration cache. 84600 = once per day. #longterm_enum_search_interval=86400 As shown, offline credential caching is disabled by default.
2.5.5.2 Netgroups in LDAP With LDAP, the ability to use netgroups to control which groups of users are visible on a host, or which fields are masked, is still available. System administrators can enable NIS compat mode by defining the following sequence in the /etc/nsswitch.conf file: ... passwd: compat passwd_compat: files ldap ... The first line indicates that the passwd name service should operate in the traditional “compatibility mode,” allowing netgroups to be specified in the /etc/passwd file.
b. /etc/opt/ldapux/ldapux_client.conf Search for "enable_compat_mode". To enable internal compat-mode processing in ldapclientd, set this value to 1. NOTE: If LDAP-UX has been configured previously on your host, you will need to examine the newly delivered configuration files found under /opt/ldapux/newconfig/etc/ opt/ldapux. Compare and merge the existing configuration files with those delivered in the newconfig subdirectory. 3. Restart ldapclientd.
# # You can disable specific users so that they are unable to log in # through the LDAP server by uncommenting the "disable_uid_range" # flag and adding the UID numbers you want to disable. For example: # # disable_uid_range=0-100,120,300-400 # # Note: The list of UID numbers must be on one line and the maximum # number of ranges is 20. The system will ignore the typos and white spaces. # #disable_uid_range=0 To enable and configure the flag, first save a copy of the /etc/opt/ldapux/ ldapux_client.
deny_local Specifies the deny_local option The following example shows the portion of the /etc/pam.conf file that configures the authentication and account services. As a result, for any attempt to use these services to log in or establish a session on the HP-UX client system, if PAM_LDAP detects an equivalent account name or UID in the /etc/passwd file, it returns PAM_IGNORE (PAM_LDAP does not authenticate the user).
OTHER auth required OTHER auth sufficient OTHER auth required # # Account management # login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account sufficient ftp account required rcomds account required rcomds account sufficient rcomds account requi
module_type Specifies the service module type: authentication (auth), account management (account), session management (session), or password management (password). libpam_ldap.so.1 Specifies the pathname to the PAM_LDAP library object that implements the service functionality. If the pathname is not absolute, it is assumed to be relative to /usr/lib/security/ $ISA/. ignore Specifies the ignore option. The following is an example of a pam_user.
module_type Specifies the service module type: authentication (auth), account management (account), session management (session), or password management (password). required Specifies the control flag as required (mandatory). libpam_updbe.so.1 Specifies the pathname to the PAM_UPDBE shared library object that implements the service functionality. If the pathname is not absolute, it is assumed to be relative to /usr/lib/security/ $ISA/. For more details, see the pam_updbe(5) and pam_user.
2.5.7 Configuring subsequent client systems Once you have configured your directory and one client system, you can configure subsequent client systems using the following steps. If you used autosetup to create your LDAP-UX domain, you should continue to use autosetup to configure subsequent clients, since it provisions the HP-UX host information in the directory server. To do this, you can run autosetup in silent mode, as described in Section 2.3.8.2 (page 56). 1.
2.5.8 Downloading the profile periodically The setup program allows you to define a time interval after which the current profile is being automatically refreshed. The start time for this periodic refresh is defined by the time the setup program was run and the value defined for ProfileTTL. Therefore, it does not allow you to define a specific time of day when the profile should be downloaded (refreshed). For more detailed information, see the ldapclientd(1) manpage.
su su su dtlogin dtlogin dtlogin dtaction dtaction dtaction ftp ftp ftp rcomds rcomds rcomds sshd sshd sshd OTHER OTHER account account account account account account account account account account account account account account account account account account account account required sufficient required required sufficient required required sufficient required required sufficient required required sufficient required required sufficient required sufficient required libpam_hpsec.so.1 libpam_unix.so.
3 LDAP Printer configurator support This chapter contains information describing how LDAP-UX supports the printer configurator, how to set up the printer schema, and how to configure the printer configurator to control its behaviors. 3.1 Overview Management of network printing is complex, and printers themselves are more complicated. Instead of having printer configuration and information scattered over client systems and printer servers, they can be stored and managed from a single repository.
• Updates master printer record file When ldapclientd is initialized, it will enable the printer configurator services at the same time. Once the printer configurator is up, it periodically searches for any existing printer entries in the LDAP Direcotry Server based on predefined search filters. If there are any printer entries in the LDAP Directory Server, the printer configurator will extract the LP printer configuration from each printer entry.
NOTE: The system administrator manually adds or removes printers to the HP-UX system. The LDAP Printer Configurator will only add or remove printers that it has discovered in the LDAP directory according to the search filter defined for the printer. Figure 3-1 Printer configurator architecture Directory Server *New Printer Schema *Printer Entries dn: printer-name: laser2,ou=printers,dc=hp,dc=com printer-name: laser2 printer-uri: lpd://hostA.corp.hp.
http://www.ietf.org For the detailed structure information of the new printer schema, see Appendix C. You must import the new printer schema into the LDAP Directory Server to create new printer objects. NOTE: The LDAP printer configurator supports any Directory Servers that support the LDAP printer schema based on RFC 3712. 3.4.
dn: printer-name=laser2,ou=printers,dc=hp,dc=com printer-name: laser2 printer-uri: lpd://hostA.cup.hp.com/lj2004 printer-location: Engineering Lab printer-model: Hewlett Packard laserjet Model 2004N printer-service-person: David Lott Since the local printer name, remote host name, remote printer name, and the printing protocol information are still the same, the LDAP Printer Configurator will not change the current remote LP printer configuration for laser2. Example 3: The system hostA.hp.com is retired.
3.6 Limitations of the printer configurator • • • 120 The new LDAP printer schema based on RFC 3712 is imported into the LDAP Directory Server to create the printer objects. LDAP-UX Client Services only suports the HP-UX LP spooler system, network printers, and printerservers that support Line Printer Daemon (LPD) protocol. The printer configurator does not support local printers. In a global management envoriment, it is hard to determine a default printer for the individual client system.
4 Dynamic group support This chapter contains information about how LDAP-UX Client Services supports dynamic groups, how to set up dynamic groups, and how to enable or disable dynamic group caches. 4.1 Overview A system administrator can associate some users with a group, and apply security policies (e.g. access control, password policies) to the group. As a result, all users belonging to the group inherit the specific policies, such as being able to access a file.
The following shows an example of a dynamic group entry created using the Directory Server Console: dn: cn=dyngroup,ou=groups,dc=example,dc=hp,dc=com cn=dyngroup objectClass: top objectClass: groupofuniquenames objectClass: groupofnames objectClass: groupofurls memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(l=California) The memberURL attribute in the above example specifies a sub-tree search starting at any level under dc=example, dc=hp, dc=com to find all entries matching (l=California).
objectClass: groupofuniquenames objectClass: groupofnames objectClass: groupofurls objectClass: posixgroup objectClass: top cn: dyngroup memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(l=California) gidNumber: 500 4.
4.2.2 Changing an HP-UX POSIX static group to a dynamic group To change an HP-UX POSIX static group to an HP-UX POSIX dynamic group, use the Directory Server Console to add the following objectclass and attribute information to the HP-UX POSIX static group: • • groupofurls objectclass memberURL attribute For detailed information on how to use the Directory Server Console to modify a group, see the HP-UX Directory Server administrator guide available at the following website: http://www.hp.
----------name: gid: members: ------------cn gidnumber memberuid memberURL member uniquemember LDAP-UX retrieves group members and processes groups that a specific user belongs to by looking into all configured attributes. If needed, you can create a group which include both static and dynamic members. When returning group members, LDAP-UX will return both static and dynamic members that belong to a specific group.
Table 4-1 Attribute mappings Default Group Attribute Dynamic Group Attribute Static X.500 Group Attribute memberuid memberURL member If you want to perform group attribute mappings by using the Custom Configuration, ensure that you do not accept the remaining default configuration parameters in step 4 of the Custom Configuration.
4.4 Number of group members returned With dynamic membership support, as with regular (static) group membership support, the number of group members for a specific group returned by getgrnam()/getgrgid()/getgrent() on an HP-UX system is limited by internal buffer sizes. On HP-UX 11i v2 and v3 systems, the buffer size is 7296 bytes for 32–bit applications and 10496 bytes for 64-bit applications. This limitation is mainly impacted by the size of each member name.
4.6 Performance impact for dynamic groups The dynamic group is specified by either an LDAP URL or a search filter. Depending on how you configure dynamic groups, potentially, there could be a lot of LDAP searches involved. In that case, the performance of those applications calling getgrnam(), getgrgid() or getgrent()(3C) (e.g. the command "id", "groups", etc) will be affected.
5 Administering LDAP-UX Client Services This chapter describes how to keep your clients running smoothly and expand your computing environment. 5.1 Using the LDAP-UX client daemon This section describes the following: • • • Overview of ldapclientd daemon operation. Configurable parameters and syntax in the ldapclientd configuration file, ldapclientd.conf. Command line syntax and options for the ldapclientd command. 5.1.
/opt/ldapux/bin/ldapclientd <[-D ]|-E |-S [cache]> /opt/ldapux/bin/ldapclientd <-f| -k| -L| -h| -r> 5.1.2.3 Client daemon performance Performance (client response time) is improved by the use of two techniques: 1. 2. Reuse of connections to the LDAP Directory Server: This feature improves performance by reducing the overhead associated with opening and closing bindings to the directory server and significantly reduces network traffic and server load.
Meaning: The /etc/opt/ldapux/ldapclientd.conf file is missing or has a syntax error. If the problem is with its syntax, the error message will be accompanied by a line showing exactly where it could not recognize the syntax, or where it found a setting which is out of range. 5.1.2.6 Warnings Whenever the system is rebooted, ldapclientd launches if [StartOnBoot] has the parameter enabled=yes in the file /etc/opt/ldapux/ldapclientd.conf (the ldapclientd configuation file).
-[automountMap] - [printers] setting This will be different for each section. value Depending on the setting, this can be . 5.1.3.2.1 Section details Within a section, the following syntax applies: [StartOnBoot] Determines if ldapclientd starts automatically when the system boots. enable= By default, this is enabled after LDAP-UX has been configured by the LDAP-UX setup program /opt/ldapux/config/setup.
except dynamic_group. If this limit is reached, new entries are not cached until enough expired entries are freed to allow it. The default value is 10000000. state_dump_time=<0-2147483647> As state, functions like a virtual between the client and LDAP server, is created for setXXent() request, and stays for the subsequent getXXent() requests. If no get requests are received in the specified time interval (in seconds), the state will be removed. The default value is 300 (in seconds).
accessible through ldapclientd's API. However, the default delivered ldapclientd.conf file will set this parameter to allow access to the sshPublicKey attribute for the passwd and hosts service. This parameter can be specified more than once. allowed_attribute example: allowed_attribute=hosts:sshPublicKey [passwd] Cache settings for the passwd cache (which caches name, UID, and shadow information). enable= ldapclientd only caches entries for this section, when it is enabled.
The time, in seconds, before a cache entry expires from the positive cache. If group caching is enabled, this value must be greater than poscache_ttl of [group]. The default value is 43200 (12 hours). negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. If group caching is enabled, this value must be greater than negcache_ttl of [group] The default value is 43200 (12 hours).
[domain_pwd] This cache maps user names and UIDs to the domain holding its entry. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. Since new domains are rarely added to or removed from the forest, the cache is typically valid for a long time.
The default value is 1800 (30 minutes). [automountMap] Cache settings for the automount map cache. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. The default value is 1800 (30 minutes). negcache_ttl=<1-2147483647> The time, in seconds, before a cache entry expires from the negative cache. The default value is 7200 (2 hours).
If you update LDAP-UX Client Services from an older version, such as B.03.00 or B.03.10, the new configuration file will be /opt/ldapux/newconfig/etc/opt/ldapux/ ldapclientd.conf. 5.2 Integrating with Trusted Mode This section describes features and limitations, PAM configuration changes and configuration parameter for integrating LDAP-UX with Trusted Mode. 5.2.1 Overview LDAP-UX Client Services B.03.30 or later supports coexistence with Trusted Mode.
5.2.2.2 Password and account policies The primary goal of integrating Trusted Mode policies and those policies enforced by an LDAP server is coexistence. This means that Trusted Mode policies are not enforced on LDAP-based accounts, and LDAP server policies are not enforced on local-based accounts.
5.3 PAM_AUTHZ login authorization The Pluggable Authentication Module (PAM) is an industry standard authentication framework that is supplied as an integrated part of the HP-UX system. PAM gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The PAM framework also allows new authentication service modules to be plugged in and made available without modifying the PAM enabled applications.
Figure 5-1 PAM_AUTHZ environment 1 pam enabled application 2 policy configuration file 5 7 3 pam_authz 6 authentication modules, for examples: pam_kerberos pam_ldap 4 ldap_ux client daemon ldapclientd /etc/group /etc/netgroup LDAP directory server The following describes the policy validation processed by PAM_AUTHZ for the user login authorization shown in “PAM_AUTHZ environment” (page 141): PAM_AUTHZ environment 1.
5.3.3 PAM_AUTHZ supports security policy enforcement PAM_AUTHZ supports enforcement of account and password policies, stored in an LDAP directory server. This feature works with secure shell (ssh), r-commands with rhost enabled where authentication is not performed by PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.
5.3.4 Policy file The system administrator can define a local access policy that can be stored in an access policy file. The default access policy file is /etc/opt/ldapux/pam_authz.policy, but it can be stored in an alternate location by setting the policy option in pam.conf. The PAM_AUTHZ service module uses this local policy file to process the access rules and to control the login authorization. Any service that loads the libpam_authz.1 library will also load this file.
5.3.5 Policy validator PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the access rules defined in pam_authz.policy. It validates and determines the user's login authorization based on the user's login name and the information it retrieves from various name services. The result is then returned to the PAM framework. PAM_AUTHZ processes access rules in the order they are defined in the access policy file.
5.3.6 Dynamic variable support Dynamic variable support is a method by which an access rule can be defined where part or all of the policy criteria will be determined at the time the rule is evaluated. For example, the name of the computer from which the user attempts to logon can be substituted into the access rule to be evaluated. See Section 5.3.9 (page 151) for more information on how to define an access rule using dynamic variable support. 5.
5.3.7 Constructing an access rule in the access policy file In the access policy file, an access rule consists of three fields as follows: ::
Table 5-1 Field syntax in an access rule (continued)
The value in this field represents the type of access rule. It defines what kinds of user information that PAM_AUTHZ needs to look for. The value also helps to determine the correct syntax in the following
When status is specified as the field, this defines a rule that is evaluated to perform account and password policy enforcement. This access rule defines a library, in the field to be loaded, and a function in the field that specifies a function to be invoked to perform policy evaluation for a particular directory server. See Section 5.3.10.1 (page 153) for detailed information on the supported values and usage of this access rule.
5.3.8 Static list access rule When the value in the field is one of unix_user, unix_group, netgroup, ldap_group, the rule is evaluated using a list of predefined values in the
NOTE: Beginning with version 5.0 of the product, LDAP-UX Client Services supports integrated compat mode to control which users are visible on a host, where the user accounts are referenced by netgroups specified in the /etc/passwd file. For more information, see “Enabling integrated Compat Mode to control name services and user logins” (page 104) ldap_group This option specifies that an access rule is based on the non-POSIXGroup membership.
TERMINAL Returns the terminal type of the computer from which the user attempts to log on. For example, /dev/pts/0. Some applications (such as ssh or remsh) do not pass the terminal dynamic variable value to PAM_AUTHZ. TIMEOFTHEDAY Returns the current time of the computer system from which the user attempts to log on. For example, 20061015125535Z represents October 15, 2006 at 12:55 and 35 seconds GMT. TIMEOFTHEDAY follows the “UTC Time” syntax as described by RFC4517.
5.3.10 Security policy enforcement with secure shell (ssh) or r-commands PAM_AUTHZ has a limited ability to perform account and password security policy enforcement without requiring LDAP-based authentication.
function_name This field defines the function name in the specified that PAM_AUTHZ uses to evaluate certain security policy settings with the login user. The following describes the valid entries for this field: • • check_rhds_policy: If this option is specified, PAM_AUTHZ evaluates all the necessary account and password policies settings, stored in the HP-UX Directory Server or Redhat Directory Server, for the login user.
allow (read,search) (userdn = "ldap:///uid=proxyuser,ou=Special Users,o=hp.com");) For more information about a list of security policy attributes supported by LDAP-UX, see Section 5.3.10.6 (page 156). 5.3.10.3 Configuring the PAM configuration file If you want to use PAM_AUTHZ to support enforcement of account and password policies stored in your directory server, you must define the PAM_AUTHZ library and the rcommand option in the /etc/pam.
5.3.10.6 Directory server security policies Global security attributes In the HP-UX Directory Server or Redhat Directory Server, numerous attributes are used to define the security policies. To support account and password security policy enforcement, PAM_AUTHZ is enhanced to support the global administrative security attributes listed in Table 5-2. These attributes are used to define the policy rules and are all defined under cn=config. Only authorized users can access them.
Table 5-3 Security policy status attributes (continued) passwordExpirationTime This string attribute defines a date and time when a password is considered expired. The data and time are specified using the “Generalize Time” syntax as referenced in RFC 2252 and specified by the ISO x.208 standard. It uses the format YYYYMMDDHHMMSSTZ, where YYYY= 4 difit year, MM= 2 digit month, DD=2 digit day, HH=2 digit hour, MM=2 digit minute, SS=2 digit second and TZ=tme zone.
5.4 Adding a directory replica Your LDAP directory contains configuration profiles downloaded by each client system and name service data accessed by each client system. As your environment grows, you may need to add a directory replica to your environment. LDAP-UX can take advantage of replica directory servers and the alternates if one of them fails. Follow these steps to inform LDAP-UX about multiple directory servers: 1. Create and configure your LDAP directory replica.
5.5 Managing users and groups LDAP-UX Integration supports the new set of non-interactive LDAP command-line tools that allow you to list, add, modify or delete user accounts and groups in an LDAP directory server. These new tools provide capabilities to perform those operations without needing to discover the LDAP server information.
in an LDAP directory server, without requiring extensive knowledge of in-use data models or the methods used to retrieve and evaluate that information in the LDAP directory server. The ldapuglist tool uses the LDAP-UX profile configuration, requiring minimal command line options to discover where to search for user or group information, such as the LDAP directory server host and proper search filters for finding users and groups.
— Discover the recommended list of attributes that an interactive management tool can consider making available for modification for the specified entry. The following subsequent sections provide examples on how to use ldapuglist, ldapugadd, ldapugmod, ldapugdel and ldapcfinfo to display, enumerate, add, modify or delete user accounts and groups in an LDAP directory server. 5.5.2 Listing users You can use ldapuglist to list and enumerate POSIX-like account entries in an LDAP directory server.
uidNumber:750 gidNumber: 2000 loginShell: /usr/bin/sh homeDirectory: /home/pfong gecos: pfong,Building-10,555-552-5000 ... ... The following command displays an account entry which contains uid=tscott: ./ldapuglist -t passwd -m -f "(uid=tscott)" The output is as follows. In this example, the uidNUmber attribute has been mapped to employeeNumber and the gecos attribute has been mapped to cn, l and telephoneNumber. With the -m option, the ldapuglist tool displays the mapped attribute names as well.
The output is as follows: dn: cn=groupB,ou=groups,dc=example,dc=com cn: groupB gidNumber: 620 memberUid: user1 memberUid: user3 memberUid: user5 Command arguments The following describes the ldapuglist options/arguments used in the above examples: -t Specifies the type of entry the ldapuglist tool needs to discover and process. can be passwd or group. The passwd type indicates posixAccount-type entries. The group type indicates posixGroup-type entries.
5.5.4.1 Adding users You can add users to your system as follows: 1. Add the user's posixAccount entry to your LDAP directory. You can use your directory's administration tools, the ldapugadd command, or the ldapentry tool to add a new user entry to your directory. If you are adding a large number of users, you could create a passwd file with those users and use the migration tools to add them to your directory.
The output of the commands is as follows Surname The following commands add an account entry for the user, mtam, with the user's primary login group id, 200. ldapugadd creates the password for new user, mtam, using the user password specified in the LDAP_UGCRED environment variable. After creating the user entry, ldapugadd attempts to add this user as a member of the group number 200. Run the following command to create the new account entry for the user, mtam: .
loginShell[loginshell]: /usr/bin/sh gecos[cn]: Tom Sheu gecos[l]: Building-1A gecos[telephone]: 555-555-5555 Command arguments applicable to -t passwd The following are the options and arguments used in the above examples of the ldapugadd -t passwd commands: -t Specifies the type of entry the ldapugadd tool operates. can be passwd or group. The passwd type represents LDAP user entries which contain POSIX account-related information.
Command arguments applicable to -t group The following are the command arguments and options used in the above examples of the ldapugadd -t group commands: -M Defines initial group membership by adding the specified user accounts as members. -g Specifies the group id number for the new group. Required argument. Specifies the POSIX style group name for the new group entry. 5.5.4.4 Modifying defaults in /etc/opt/ldapux/ldapug.
-s Specifies the default login shell that ldapugadd uses when creating a new user entry. -s Specifies the default parent home directory that ldapugadd uses when creating a new user home directory. 5.5.5 Modifying a user You can use ldapugmod tool to modify exiting POSIX accounts or groups in an LDAP directory server. This section provides examples of using ldapugmod to modify a user's information.
-I Replaces the GECOS fields for the user. Typically the GECOS argument contains the following four fields which represent (in order): • The user's full name • The user's work location • The user's work telephone number • The user's home telephone number (often omitted) Each field in the argument must be separated by a comma. = Allows modification of arbitrary LDAP attributes and values. 5.5.
./ldapugmod -t group -a atam,mlou,mscott GroupA The following command removes one member, atam from the group entry, groupA: ./ldapugmod -t group -r atam GroupA Command arguments The following describes arguments/options used in the above examples for the ldapugmod -t group commands: -A Specifies an attribute and value to be added to an entry.
export LDAP_BINDDN = "cn=Jane Admin,ou=admins,dc=exmple,dc=com" export LDAP_BINDCRED = "Jane's password" Run the following commands to delete the entire user account entry, skeith: cd /opt/ldapux/bin ./ldapugdel -t passwd skeith Run the following command to delete only the posixAccount object class and associated attributes, uidnumber, gidNumber, homeDirectory, loginShell and gecos, without delete the entire user entry, msmith: .
Assume that the automount service is not configured for LDAP-UX support, below is the output of the above command: WARNING: CFI_CONFIG_FAILURE: "automount" service not configured for LDAP-UX support 5.5.8.2 Listing available templates Use the ldapcfinfo -t -L command to display a list of available templates. The valid value can be passwd or group.
uidNumber_range=100:20000 default_gidNumber=20 default_homeDirectory=/home default_loginShell=/usr/bin/sh Run the following command to display the LDAP default configuration values in the /etc/ opt/ldapux/ldapug.conf file for the group name service: ./ldapcfinfo -t group -D Below is the output of the above command: gidNumber_range=100:2000 5.5.8.5 Displaying the LDAP-UX profile's DN Run the following command to display the location of the LDAP-UX configuration profile: .
gecos description 5.5.8.8 Displaying attribute mapping for a specific name service Use the ldapcfinfo -t -m command to display attribute mapping information defined in the LDAP-UX configuration profile. The valid value can be passwd or group. The following command displays the attribute mapping for the gecos attribute which has been mapped to cn, l and telephone attributes: .
tree or base of the Windows domain. If you have an existing configuration profile that was not set up using guided installation, the location where your hosts will be stored might be defined to a different location, or might not be defined at all (using defaults). You can use the ldapcfinfo tool to determine where LDAP-UX believes host information should be located.
5.6.2 Modifying a host Use the -m option of ldaphostmgr to modify existing host entries. If neither -a, -m, nor -g is specified, -m is assumed. In the -a and -m modes, ldaphostmgr can be used to add, change, or remove arbitrary attributes. You can manage some attributes using ldaphostmgr command-line options; for example, use -k to manage the host’s ssh public key, and -i to manage the host’s IP address.
ipHostNumber: 16.92.96.116 dn: cn=baker,ou=Hosts,dc=mydomain,dc=example,dc=com cn: baker ipHostNumber: 16.89.146.146 CAUTION: If you used guided installation to configure LDAP-UX on a host, removing that host entry also removes the proxy user defined for that host. Removing the host’s proxy user entry disables the ability of the OS to use LDAP as an OS management repository.
ipHostNumber: 16.92.96.113 ipHostNumber: 192.168.10.10 To remove an IP address for a host, use the -i option with the ! flag in front of the IP address to be removed. For example, to remove the address added in the previous example: # ldaphostmgr -i !192.168.10.10 brewer bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]: Password: # ldaphostlist -n brewer dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com cn: brewer ipHostNumber: 16.92.96.
dn: cn=dbhosts,ou=groups,dc=mydomain,dc=eample,dc=com cn: dbhosts uniqueMember: cn=baker,ou=Hosts,dc=mydomain,dc=eample,dc=com # ldaphostmgr -G dbhosts chef bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com]: Password: # ldapuglist -t group -P -F "(cn=dbhosts)" uniqueMember bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com]: Password: dn: cn=dbhosts,ou=groups,dc=mydomain,dc=eample,dc=com cn: dbhosts uniqueMember: cn=baker,ou=Hosts,dc=mydomain,dc=eample,dc=com uniqueMember: cn=chef,ou=H
objectClass: ipHost objectClass: ldapPublicKey objectClass: domainEntity owner: uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvrJ... entityRole: DBSERVER dn: cn=raptor,ou=Hosts,dc=mydomain,dc=eample,dc=com cn: raptor ipHostNumber: 16.92.96.
adding any special privileges, the guided installation sets a special flag (proxy_is_restricted) inside the /etc/opt/ldapux/ldapclientd.conf file to indicate that the proxy user has been created without any additional special privileges. This flag is also used by ldaphostlist, to determine if it is safe to request arbitrary attributes from the directory server.
5.7 Displaying the proxy user's DN You can display the proxy user's distinguished name by running /opt/ldapux/config/ldap_proxy_config -p. The following command displays the current proxy user: ldap_proxy_config -p PROXY DN: uid=proxy,ou=people,o=hp.com 5.8 Verifying the proxy user The proxy user information is stored in the file /etc/opt/ldapux/pcred. You can check if the proxy user can authenticate to the directory by running /opt/ldapux/config/ldap_proxy_config -v as follows: cd /opt/ldapux/config .
cd /opt/ldapux/config ./display_profile_cache You can also find out from where in the directory the client downloaded the profile by displaying the file /etc/opt/ldapux/ldapux_client.conf and looking for the line beginning with PROFILE_ENTRY_DN, for example: grep ^PROFILE_ENTRY_DN /etc/opt/ldapux/ldapux_client.conf PROFILE_ENTRY_DN="cn=profile1,ou=hpuxprofiles,o=hp.com" 5.11 Creating a new configuration profile To create a new profile, run /opt/ldapux/config/setup.
3. Download the profile to the client. If you have an automated process to download the profile, you can wait until it executes. Or you can download the profile manually by running the following command: cd /opt/ldapux/config ./get_profile_entry -s nss You can verify that the proxy user is configured with display_profile_cache and ldap_proxy_config.
5.16 Performance considerations This section lists some performance considerations for LDAP-UX Client Services.For additional performance information, see the white paper LDAP-UX Integration Performance and Tuning Guidelines at: http://www.hp.com/go/hpux-security-docs Click HP-UX LDAP-UX Integration Software. 5.16.1 Minimizing enumeration requests Enumeration requests are directory queries that request all of a database, for example all users or all groups.
un-necessary. However, applications exist that may perform these operations frequently, either on purpose or because they are malfunctioning. For example, if a file is created with a group ID that does not exist, every time a user displays information about this file, using the ls command, a request to the directory server will be generated. The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount map information.
Table 5-4 Benefits and side-effects for caching (continued) Map Name Benefits Example Side-Effect netgroup netgroups can be heavily used for determining network file system access rights or user login rights. Caching this information greatly reduces this impact Similar to groups, since netgroups are used to control access to resources, modification of these rights may not appear until after cache information has expired.
5.17.2 ldapclientd persistent connections Since the HP-UX can generate many requests to an LDAP server, the overhead of establishing a single connection for every request can create excessive network traffic and slow response time for name service requests. Depending on network latency, the connection establishment and tear-down can cause relatively severe delays for client response. However, a persistent connection to the directory server will eliminate this delay.
5.18 Troubleshooting This section describes troubleshooting techniques as well as problems you may encounter. 5.18.1 Enabling and disabling LDAP-UX logging When something is behaving incorrectly, enabling logging is one way to examine the events that occur to determine where the problem is. Enable LDAP-UX Client Services logging on a particular client as follows: 1. 2. Edit the local start-up file /etc/opt/ldapux/ldapux_client.
WARNING! Enabling the debug option in pam.conf might allow hackers to gain additional information that would enable them to crack password security. For example, they could attempt to log in as a super user (su) and discover that a password has expired (observing the super user's behavior, the hackers could determine when he or she is likely to log in next). 2. Edit the file /etc/syslog.conf and add a new line at the bottom like the following: *.debug 3. /var/adm/syslog/debug.
because, for example the user's password has expired or the login retry limit has been exceeded. To check this try an ldapsearch command and bind as the user, for example: cd /opt/ldapux/bin ./ldapsearch -h servername -b "basdDN" uid=username (get user's DN) ./ldapsearch -h servername -b "baseDN" -D "userDN" -w passwd \ uid=username where userDN is the DN of the user who cannot log in and username is the login of the user.
If you are using anonymous access, (determined by the value of the credentialLevel attribute in the configuration profile), try searching for one of your user's information in the directory with a command like the following: ./ldapsearch -h servername -b "o=hp.com" uid=username using the name of your directory server (from display_profile_cache), search base DN (from display_profile_cache), and a user name from the directory. You should get output similar to the previous example.
6 Managing ssh host keys with LDAP-UX LDAP-UX B.05.00 introduces management of host attributes in the directory server. One of the features integrated with host management is using an LDAP directory server as a trusted repository for a host’s ssh public key. ssh is a great protocol for both protecting data in transit (using encryption), and for validating trust between two parties. However, establishing that trust relationship is a weak aspect of the default ssh toolset.
Figure 6-1 ssh host key management infrastructure LDAP Server Host A LDAP-UX Host A Host B sshKey sshKey Host B ldaphostmgr sshd ssh ssh key The LDAP directory server includes an SSL certificate. The LDAP-UX library of Host A has a copy of that certificate. When ssh attempts to validate the public key of the remote host Host B, it connects through a library in LDAP-UX. LDAP-UX is configured to securely communicate with the LDAP directory server and to discover keys for the requested hosts.
With the LDAP-UX guided installation, and the HP-UX Directory Server, setting up this trust framework is nearly automatic (for more information about this trust framework, see Section 2.3.2.3 (page 33)). When using the guided installation, LDAP-UX generates a server certificate software depot file. This depot file can be installed on each host being managed, and once installed, will establish trust with that central directory server.
6.1.3 Permissions The LDAP-UX host management tool (ldaphostmgr), which is used to manage ssh public keys in the directory server, manipulates the aforementioned object classes and attributes. This tool relies on the directory server to provide proper access control. To assure that only authorized modifications to the host and public key information is performed, only a restricted set of privileged users should be allowed to modify host information, including the sshPublickKey attribute.
• • • • • Define authentication and access control, such that a limited set of privileged users will have the ability to manage host and ssh key data in the directory server. Install a CA or server certificate in the /etc/opt/ldapux/cert8.db file. This can be done using /opt/ldapux/bin/certutil, or by installing the auto-generated LDAP-UX domain CA depot (created with the guided installation). Configure LDAP-UX on all host clients.
data transmitted between the client and the directory server is protected. The following three sections describe how to establish this trust. 6.2.
the sshPublicKey attribute. This ACI is automatically created if you create a new directory server instance using the guided installation. dn: dc=mydomain,dc=example,dc=com aci: (targetattr = "*")(version 3.0;acl "[DOMAINADMIN:ALL:ALL]: Allow changes by Domain Administrators";allow (all) (groupdn = "ldap:///cn=DomainAdmins ,ou=Groups,dc=mydomain,dc=example,dc=com");) dn: ou=Hosts,dc=mydomain,dc=example,dc=com aci: (targetattr = "sshPublicKey || ipHostNumber") (version 3.
Example 6-2 Extending administrator accounts with posixAttributes 1. Identify the account to extend: # /opt/ldapux/bin/ldapuglist -F "(cn=bob alison)" \* dn: cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com cn: Bob Alison gecos: Bob Alison,+1-303-555-5432 2.
6.3.1 Configuring ssh and sshd to use LDAP-managed keys On each HP-UX client that is to use LDAP-based ssh public keys, you must install version A.05.50 or higher of the HP Secure Shell product and LDAP-UX version B.05.00 or later. HP Secure Shell A.05.50 or higher is enabled to use the LDAP directory server for public key validation and is dependent on APIs provided in LDAP-UX B.05.00. You must configure the ssh toolset to use LDAP.
If you did not configure LDAP-UX on the current host using the guided installation, you might not have an entry in the directory server that represents the current host.
fingerprint: b4:2f:45:c2:b0:17:a2:7b:a0:a7:88:61:a9:36:f2:4c. The SSH key for the remote host is unknown and is not trusted. If you remotely log in to the host, and can positively identify the host, you can add the host using ldaphostmgr as originally demonstrated. Or, if you have the ssh public key of the remote host in a local known_hosts file, the above message will not be displayed. If you can positively identify the fingerprint of the remote host, you can answer yes (y) to the WARNING message.
NOTE: Because this script runs in batch mode, you need to specify the LDAP host administrator’s credentials in the LDAP_BINDDN and LDAP_BINDCRED environment variables before running the script (or, alternatively, use the -E option to specify those values in a file.
Your public key has been saved in /opt/ssh/etc/ssh_host_rsa_key.pub. The key fingerprint is: ab:92:ec:71:8e:24:b9:5e:b9:1e:26:60:50:84:b9:bb root@chef The key's randomart image is: +--[ RSA 4096]----+ | +o | |o. | |.. | |o | |.o S | |o. . . . | | .+.B.. . | |E B+B . | | .oo=.o | +-----------------+ # ldaphostmgr -k /opt/ssh/etc/ssh_host_rsa_key.
In this example, you must verify the fingerprint for the key before adding it to the directory server. A alternative way to change a remote key is to securely obtain the public key file for the remote host and upload it using the file option as shown in the first example of Section 6.3.2 (page 201), but without specifying the -a option. 6.3.8 Revoking or removing keys If a key has been compromised, and you want to revoke it and reissue a new key, use the previously described process for changing keys.
NOTE: Key expiration data is merely advisory. It is provided to allow the ldaphostlist tool to display hosts with keys that are considered expired. HP Secure Shell tools do not reject or take other actions when a key’s state is considered expired. 6.4.1 Setting advisory key expiration dates To set key expiration information, use the -e option on ldaphostmgr, and specify the number of days (from the current date) when the key is considered expired.
To do this, you must create a global configuration policy. Do this by first specifying the location of a global configuration policy in the LDAP-UX configuration profile. Then create a configuration policy entry using the configurableService objectclass and the serviceConfigParam attributes. The above schema for the Central Configuration service is defined in the /etc/opt/ ldapux/schema/ldapux5.0.xml file delivered with LDAP-UX B.05.00.
# buffer size for hpn to non-hpn connections # HPNBufferSize 2048 # # # # # # Cipher 3des Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc EscapeChar ~ Tunnel no TunnelDevice any:any PermitLocalCommand no # Turn on/off Visual Fingerprinnt Display mode # VisualHostKey no checkhostip yes ### ### ### ### ### CCD NOTE: The following keyword-argument pairs are configured in LDAP server. If you want to add local configurations to this file, add above the "CCD NOTE" line.
Then once in the editor established by ldapentry, simply add the networkService object class and the serviceConfigParam as shown in the preceding example. 6.6 Distributing Keys to Non-HP-UX hosts The integrated ability to automatically use LDAP as an ssh key repository is available in HP Secure Shell A.05.50 or higher.
7 Command and tool reference This chapter describes the commands and tools associated with the LDAP-UX Client Services. 7.1 The LDAP-UX Client Services components The LDAP-UX Client Services product, comprising the components listed in Table 7-1, can be found under /opt/ldapux and /etc/opt/ldapux, except where noted. LDAP-UX Client Services libraries are listed in Table 7-2 (page 213) and Table 7-3 (page 213).
Table 7-1 LDAP-UX Client Services components (continued) Component Description /opt/ldapux/bin/ldapuglist Tools to display, add, modify and delete user and group entries in an LDAP directory server. See Section 7.3 (page 219) for details. /opt/ldapux/bin/ldapugadd /opt/ldapux/bin/ldapugmod /opt/ldapux/bin/ldapugdel /opt/ldapux/bin/ldaphostmgr /opt/ldapux/bin/ldaphostlist /etc/opt/ldapux/ug_templates/ug_passwd_std.tmpl /etc/opt/ldapux/ug_templates/ug_group_std.
NOTE: For LDAP C SDK libraries information, see “Mozilla LDAP C SDK” (page 337) for details. Table 7-2 shows LDAP-UX Client Services libraries on HP-UX 11i v2 and v3 PA-RISC machines: Table 7-2 LDAP-UX Client Services libraries on the HP-UX 11i v2 or v3 PA-RISC machine Files Description /usr/lib/libldap_send.1 (32-bit ) LDAP -UX Client Services libraries. /usr/lib/libldap_util.1 (32-bit ) /usr/lib/libnss_ldap.1 (32-bit) /usr/lib/libldapci.1 (32-bit ) /usr/lib/libldap.
7.2 Client management tools This section describes the following programs for managing client systems. display_profile_cache Displays the currently active profile. create_profile_entry Creates a new profile in the directory. get_profile_entry Downloads a profile from the directory to LDIF, and creates the profile cache. ldap_proxy_config Configures a proxy user.
7.2.3 create_profile_schema tool This tool, found in /opt/ldapux/config, extends the schema of an HP-UX Directory Server with the DUAConfigProfile object class using the information you provide interactively. Typically you run the setup program instead of running this program directly. 7.2.3.1 Syntax create_profile_schema 7.2.4 display_profile_cache tool This tool, found in /opt/ldapux/config, displays information from a binary profile (cache) file.
7.2.6 ldap_proxy_config tool This tool, found in /opt/ldapux/config, configures a proxy user or an Admin Proxy user for the client accessing the directory. It stores the proxy user information in the user proxy credential file/etc/opt/ldapux/pcred. The Admin Proxy user information is stored in the administrator proxy credential file /etc/opt/ldapux/acred. If you are using only anonymous access, you do not need to use this tool. You must run this tool logged in as root.
When you use the ldap_proxy_config -A -i command to configure an Admin Proxy user interactively from stdin, the configuration procedures are similar to the procedures used by the ldap_proxy_config -i command for a proxy user. When configuring an Admin Proxy user, if you only enter the Admin Proxy user's DN without password, the root's password will be used instead. -f file configures the proxy user from the specified file (file).
prox3pw proxyusr3 The following example configures the Admin Proxy user as uid=adminproxy,ou=special users,o=hp.com with the password adminproxpw, and creates or updates the file /etc/ opt/ldapux/acred with this information. The Admin Proxy user uses the simple authentication. ldap_proxy_config -A -i uid=adminproxy,ou=special users,o=hp.com adminproxpw The following example configures the Admin Proxy user as uid=adminproxy2,ou=special users,o=hp.
7.3 LDAP user and group management tools The LDAP-UX Integration product supports the following new LDAP command-line tools which enable you to manage user accounts and groups in an LDAP directory server. These new tools exist in the /opt/ldapux/bin directory and perform their operations based on the LDAP-UX profile's configuration. Each tool provides command options that enable you to alter these configuration parameters.
current command. If attribute mapping for the userPassword attribute has not been defined or set to “*NULL*” in the LDAP-UX configuration profile, ldapugadd or ldapugmod creates new passwords using the userPassword attribute. See the -PW option of Section 7.3.5 (page 232) or Section 7.3.6 (page 250) for additional information.
Table 7-4 Common return codes (continued) GETENV_FAILED The LDAP_BINDDN environment variable is set, but LDAP_BINDCRED is not set. BIND_PASSWORD_EXPIRED The bind Password has expired. BIND_INVALID_CRED The specified bind credential is invalid. BIND_ERR LDAP-UX failed to bind to the LDAP directory server. GET_PROXY_DECRYPT_FAILED Failed to decrypt proxy and credential information. MOD_LIMIT_REACHED There are too many modifications to perform. SSL_INIT_FAILED SSL initialization failed.
Table 7-4 Common return codes (continued) 222 GROUP_DOESNOT_EXIST The specified group does not exist in the LDAP directory server. LOGIN_SHELL_DOESNOT_EXIST The specified login shell does not exist. HOMEDIR_DOESNOT_EXIST The specified home directory does not exist. LOGIN_SHELL_NOT_EXECUTE The specified login shell is not executable. ADD_GR_MEMBER_FAILED MemberUid is mapped to only dynamic group attributes, the add operation fails. ENTRY_NOT_FOUND The LDAP search returns no entries.
7.3.4 ldapuglist tool You can use the ldapuglist tool to display and enumerate POSIX-like account and group entries stored in an LDAP directory server, without requiring extensive knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server.
Another example, if the RFC 2307 attribute uidNumber has been mapped to the employeeNumber attribute. Without the -m option, the output of the uidNumber field is: uidNumber: 520 When the -m option is specified, the output representing the uidNumber field is as follows: uidNumber[employeeNumber]: 520 The ldapuglist tool ignores the -m option if the -L option is specified. -L Displays output following /etc/passwd or /etc/group format.
type indicates posixAccount-type entries. The group type indicates posixGroup-type entries. Specification of the parameter tells ldapuglist how to handle processing of search filters and attribute mappings. If you do not specify the -t option, ldapuglist assumes the passwd type. For example, - t group. -h Specifies the host name and optional port number (hostname:port) of the LDAP directory server. This option overrides the server list configured in the LDAP-UX configuration profile.
In the following example, the gecos attribute has been mapped to cn, l and telephoneNumber. If the argument to -f is “(gecos=Jane Smith,BLD-5D,555-1212)”, then the resulting search filter presented to the LDAP directory server is as follows: (&(objectclass=posixAccount)(&(cn=Jane Smith) (l=BLD-5D)(telephoneNumber=555-1212))) As another example using memberUid, if memberUid has been mapped to member and memberUid.
• sub: Perform a sub-tree search starting at the point identified in the -b option. -N Specifies the maximum number of entries to be returned. If you do not specify this option, the maximum number of entries to be returned is 200 by default. Some LDAP directory servers will limit the number of entries returned for a particular search request, regardless of how many entries are requested.
When you specify the -t passwd option, ldapuglist displays the following fields for a user entry: • • • • • • • • cn uid userPassword uidNumber gidNumber homeDirectory loginShell gecos When you specify the -t group option, ldapuglist displays the following fields for a group entry: • • • • cn userPassword gidNumber memberUid When you specify the -m option, the output format for both users and groups is changed to the following: dn: dn1 field1[attribute1]: value1 field2[attribute2]: value2 field3[attribu
7.3.4.5.3 Encoding of the DN ldapuglist displays DN strings according to the encoding rules defined in RFC4514. The escape character “\” precedes special characters, which may be the character itself or a 2 digit hex representation of the character. 7.3.4.5.4 Passwords In some cases, ldapuglist cannot access the user or group password fields. This can occur in the following cases: • • • • The ldapuglist tool has insufficient privilege to access the password field.
7.3.4.7 Limitations The ldapuglist tool has the following limitations: • • The ldapuglist tool does not support enumeration of members of a dynamic group, such as those defined by the dynamic group attributes, memberURL or msDS-AzLDAPQuery. The ldapuglist tool does not perform conversion of the locale character set to and from the UTF-8 character set. 7.3.4.
gecos[telephoneNumber]: 555-555-9999 Run the following command to list an account entry having the mfreise account name that does not contain POSIX attributes: ./ldapuglist -t passwd -m -F "(uid=mfreise)" The output is as follows: dn: cn=Michael Freise,ou=people,dc=example,dc=com cn[cn]: Michael Freise uid[uid]: mlee gecos[cn]: Michael Freise gecos[l]: San Jose gecos[telephoneNumber]: 555-555-5555 Use the following command to list all posixGroup entries that Mike Lou belongs to: .
7.3.5 ldapugadd tool You can use the ldapugadd tool to add new POSIX accounts and groups to an LDAP directory server (as noted by the first and second syntaxes in Section 7.3.5.2 (page 233)). You can use ldapugadd to modify the /etc/opt/ldapux/ldapug.conf file to set defaults for creation of new users or groups (as noted by the third syntax, Section 7.3.5.2 (page 233)).
by a comma for each mapped attribute in the ldapugadd command, the comma-separated list is parsed and each comma-separated component is placed in the cn, l and telephoneNumber attributes. If the memberUid attribute has been mapped to the member attribute (where the member ID syntax is defined using a distinguished name [DN]), then ldapugadd translates the memberUid account name to a DN before placing the member attribute.
-ZZZ Requires a TLS connection to the LDAP directory server, even if the LDAP-UX configuration profile does not specify the use of TLS. Using the -ZZZ option requires that you define either a valid directory server or CA certificate in the /etc/opt/ldapux/ cert8.db file. An error will occur if the TLS connection can not be established. -F Forces creation of new user or group entries even if the following error conditions occur: • The user name or group name already exists in the directory server.
entries in an LDAP directory server. Configuration changes using the -D options change the default values in the LDAP UG tool configuration file, /etc/opt/ldapux/ ldapug.conf. -u : Sets new default minimum and maximum ranges that ldapugadd uses when provisioning an UID number for newly created user entries. The UID range is inclusive of the specified end values. -g Specifies the default group ID number used when creating new user entries.
to 90% of the range of available uidNumbers (specified with -D -u :). -g Optional. Specifies the user's primary login group name or ID number. After creating the user entry, ldapugadd attempts to add the user as a member of the specified group using the ldapugmod -t group command. To support numeric group names, ldapugadd always attempts to resolve the specified argument as a group name (even if it is a numeric string).
you want to create the home directory on this system, you must specify the -m option. -I Optional. Specifies GECOS fields for the user. Typically the GECOS argument contains the following four fields which represent (in order): • The user’s full name • The user’s work location • The user’s work telephone number • The user’s home telephone number (often omitted) You must separate each field in the argument by a comma.
If you do not specify the -I option, ldapugadd does not add the attribute to the user entry. WARNING! If you specify the -I option and you have defined attribute mapping for the gecos attribute, be careful not to specify the same attributes in the command line that are also used in the gecos map. In the following example, if the gecos attribute has been mapped to cn, l, and telephoneNumber.
ug_templates directory. A full or relative path name must begin with a slash (/) or a period (.) character. If you do not specify this argument, ldapugadd uses the default template file /etc/opt/ldapux/ug_templates/ ug_passwd_default.tmpl. -x Optional. Specifies the user’s domain name. Use this option to specify the ${domain} value that can be used in the template file.
7.3.5.4.3 Arguments applicable to -t group The following is a list of valid arguments for -t group: Required argument. Specifies the POSIX textual style group name for the new group entry. is a required argument. It must follow all command line options and must precede the = parameters if provided. This group name must conform to HP-UX group name requirements. For more information about group name requirements, see the group(4) manpage. -g Optional.
NOTE: If the ldapugadd tool can only add members that follow a static membership syntax (such as memberUid, member and uniqueMember) to a group. The ldapugadd tool will fail if the only mapping defined by the LDAP-UX configuration profile uses a dynamic group membership syntax (such as memberURL). -c Optional. Specifies a comment that is stored in the description attribute as defined by RFC 2307. LDAP-UX does not support attribute mappings for the description attribute.
# This file can not be modified directly, but instead through # the ldapugadd -D command. # uidNumber_range=100:20000 gidNumber_range=100:2000 default_gidNumber=20 default_homeDirectory=/home default_loginShell=/usr/bin/sh NOTE: You can not modify the ldapug.conf file directly. To change the local host default values defined in the /etc/opt/ldapux/ldapug.conf, you must use the ldapugadd -D command with applicable command options to alter them. See Section 7.3.5.4.1 (page 234) for details. 7.3.5.
7.3.5.6.2 Default template files The LDAP-UX Integration product provides two default template files for a standard directory server for a passwd and group service entry. Default template files for a standard directory server Below is a default template file for the passwd name service: NOTE: The template file used by the guided installation (autosetup) differs from this one: its template file excludes ou=people from the first line because that subtree is directly registered in the configuration profile.
that points to /etc/opt/ldapux/ug_templates/ug_group_std.tmpl for a standard LDAP directory server. For detailed information on how to use the correct format to define template files, see Section 7.3.5.6.3 (page 244). 7.3.5.6.3 Defining template files Pre-defined substitution constructs Each template file must follow the LDIF data format and also permit substitution of values from the ldapugadd command. Each template file can be built using custom RFC 2307–type attributes and values.
cn Represents the users’s full name when you define it in a passwd template file. Represents the group name when you define it in a group template file. gidNumber Represents the group ID number when you specify it in a group template file for the new group entry. In addition, comments are allowed. Comments are on a separate line and the first character is the # (hash) character.
7.3.5.7 Security considerations The following are security considerations when using ldapugadd: • • • • Use of ldapugadd requires permissions of an LDAP administrator when it performs its operations on the directory server. The rights for creation of new LDAP directory entries under the requested subtree, along with creation of the required attributes in that entry must be granted to the LDAP administrator identity when executing ldapugadd.
Table 7-6 Return codes for ldapugadd (continued) ADD_INVALID_KEYWORD The specified keyword value is invalid, ldapugadd ignored the keyword. For example, if /usr/bin/jsh does not exist in the system, the ldapugadd -D -s /usr/bin/jsh command displays the following warnings: WARNING: LOGIN_SHELL_DOESNOT_EXIST: Login shell /usr/bin/jsh' does not exist. WARNING: ADD_INVALID_KEY Invalid keyword (default_loginShell), ignored.
Run the following commands to discover what non-POSIX attributes defined in the default template file are required to create the new user entry: cd /opt/ldapux/bin ./ldapcfinfo -t passwd -R The output of the commands is as follows: Surname The following commands add an account entry for the user, alam, with the user's primary login group id, 300, and the surname, Lam. The ldapugadd tool creates the password for new user, alam, using the user password specified in the LDAP_UGCRED environment variable.
./ldapugadd -t passwd -PW -f "Mike Wang" -g 350 \ -m -d "/home/wang" mwang surname="Wang" Use the following command to display the new user entry, mwang: ./ldapuglist -t passwd -n mwang sn The output of the user entry is as follows: dn: cn=Mike Wang,ou=people,dc=example,dc=com cn: Mike Wang uid: mwang uidNumber: 2255 gidNumber: 350 homeDirectory: /home/wang loginShell: /usr/bin/sh sn: Wang The following command adds a new group entry for the group name, groupA.
7.3.6 ldapugmod tool The ldapugmod tool enables HP-UX administrators to modify existing POSIX accounts or groups in an LDAP directory server. When using extended options, you can use ldapugmod to modify arbitrary attributes for user or group entries or you can extend existing user or group entries with the POSIX data model. To use ldapugmod, you must provide LDAP administrator credentials that have sufficient privilege to perform the user or group modification operations in the LDAP directory server. 7.3.
-ZZ Attempts a TLS connection to the directory server, even if the LDAP-UX configuration does not require the use of TLS. If a TLS connection cannot be established, a non-TLS and non-SSL connection will be established. Do not use -ZZ unless alternative methods are used to protect against network eavesdropping. Use of -ZZ requires that you define a valid server or a CA certificate in the /etc/opt/ldapux/cert8.db file.
account-related information. The group type represents LDAP group entries that contain POSIX group-related information. -h Specifies the host name and optional port number (hostname:port) of the LDAP directory server. This option overrides the server list specified by the LDAP-UX configuration profile. This field supports specification of IPv4 and IPv6 addresses. If you specify a port for an IPv6 address, you must specify the IPv6 address in square-bracketed form.
interacts with the optional = parameters. See the = option below for details. You can specify the -R option more than once per command line. -n Specifies the new name of the user or group. This option replaces the uid attribute for user entries or the cn attribute for group entries with the new name, or the mapped attribute if attribute mapping has been specified for that attribute. The argument specifies the new name of the user or group.
NOTE: The dapugmod tool does not modify the user’s group membership when chaining the primary group ID. Adding the user as a member of the new group and possibly removing the member from the previous group must be done with separate ldapudmod operations. -s Replaces the full path name to the executable that is used to handle login sessions for this user. If the argument is an empty string (a pair of double quotes: ""), ldapugmod removes the loginShell or mapped attribute.
WARNING! If you specify the -I option and you have defined attribute mapping for the gecos attribute, be careful not to specify the same attributes in the command line that are also used in the gecos map. In the following example, the gecos attribute has been mapped to cn, l, and telephoneNumber attributes.
type, ldapugmod uses the first attribute defined by the mapping. If the specified does not exist in the LDAP directory, you must use -F to define the member, and only use the memberUid attribute syntax. NOTE: The ldapugmod tool can add members only to a group that follow a static membership syntax (such as memberUid, member and uniqueMember).
NOTE: The ldapugmod tool does not allow you to use the same attribute and value pair more than once, either as part of =, -R or -A, or with other command line options. The ldapugmod tool exits with error status before sending any conflict modification request to the LDAP directory server.
loginShell: /usr/bin/ksh gecos: Smith Lou,San Jose,+1 555-510-5000 Perform the following ldapugmod command for the user entry, slou: ./ldapugmod -t passwd -R "cn=Smitta Lou" slou "cn=Smitty Lou" The above command removes the instance of Smitta Lou and replaces it with the value, Smitty Lou.
Table 7-7 Return codes for ldapugmod (continued) MOD_COMMANDLINE_ERR Member(s) need to be specified for the specified option. For exmaple, ldapugmod -t group -r "" The output of the command is as follows: ERROR: MOD_COMMANDLINE_ERR: member(s) need to be specified for -r option. ldapugmod -t group -a "" The output of the command is as follows: ERROR: MOD_COMMANDLINE_ERR: member(s) need to be specified for -a option. MOD_MEMBER_SKIPPED Cannot remove user account from the specified group, will be skipped.
• As it may occur in any identity repository, modification of this repository will likely have impacts as defined by the organization security policy. When using ldapugmod, you are expected to have full knowledge of the organization security policy and the impact of modifying identity information in that identity repository. 7.3.6.
7.3.7 ldapugdel tool Use the ldapugdel tool to remove POSIX-related user or group entries from an LDAP directory server. If you use ldapugdel with the -O option, ldapugdel removes the POSIX related attributes and object classes from user or group entries, without removing the entire entry itself. 7.3.7.1 Removing attributes only You can use ldapugdel to remove POSIX user and group entire entries from an LDAP directory server.
warning message. With the -x option, LDAP-UX tries to remove as many attributes as allowed by the directory server. -y Uses this option only with the -O and -t passwd options. This option forces ldapugdel to remove the userPassword attribute from the user entry. HP does not recommend you to use the -y option when removing posixAccount related attributes. -Z Requires an SSL connection to the LDAP directory server, even if the LDAP-UX configuration does not require the use of SSL.
Specifies the name of the user entry that you want to delete. ldapugdel uses the configured LDAP search filter to discover the entry to be removed, such as (&(objectclass=posixAccount)(uid=name)). If more than one entry matches this search filter, only the first discovered entry is removed. You can specify only one of -D, or parameter on the command line. Specifies the name of the group entry that you want to delete.
NOTE: Keep the following considerations in mind when using the -O option: • The ldapugdel tool does not support attribute mappings. For example, if the uidNumber attribute has been mapped to the employeeNumber attribute, ldapugdel will attempt to remove uidNumber attribute and not employeeNumber.
Table 7-8 Return codes for ldapugdel Return Codes Message DEL_COMMANDLINE_ERR Invalid POSIX attributes. DEL_MULTIPLE_ENTRY_FOUND Multiple entries found that match the same name. Please use a DN to specify a specific entry. DEL_DELETE_FAILED The LDAP deletion operation failed. DEL_SEARCH_FAILED The LDAP search for subSchemaSubEntry, attributeTypes or objectClasses failed. DEL_PARSE_ERROR Unable to analyze LDAP directory server’s schema.
Run the following command to delete the entire user account entry, astein, on the LDAP directory server, ldapsrvA. The -h option overrides the server list defined by the LDAP-UX configuration profile. ./ldapugdel -t passwd -h ldapsrvA:389 astein Run the following command to delete the entire user account entry, msmart: ./ldapugdel -t passwd msmart Run the following command to delete the entire group entry with the distinguished name, “cn=group1,ou=groups,dc=example,dc=com": .
7.3.8.2 Options and Arguments The ldaphostmgr tool supports the following options and arguments: -a Adds a new host to the directory server. The host is added to the base specified by the host service search descriptor in the LDAP-UX configuration profile entry (unless the -D option is used to specify the fully qualified DN). When an entry is created, the device and ipHost object classes are used. Optionally, additional object classes can be used to describe the host entry. See Section 7.3.8.
using that identity. Specifying -I on a remote host will fail if LDAP-UX (version > B.05.00) is not installed on that host. 268 -X Does not prompt for information, including the host’s password or other interactive confirmation prompts. If required information cannot be discovered, the command exits with an error. The -F option can be used to force an override for most confirmation prompts.
host_name is added to the entry. ldaphostmgr uses the /etc/resolv.conf file to determine the domain. If the -D option is specified, the value of the RDN (relative distinguished name) is used to determine the host_name. -S Displays the DN of the created, modified, or deleted host entry, at the end of the output. -v Displays additional information used to analyze and troubleshoot usage issues.
To replace an owner of the host, you can specify the -O option twice to remove the existing user and add a new one. For example: ldaphostmgr -O !user:olduser -O user:newuser hostname If the user is adding a new host entry (-a option) and if the -O option is not specified, the owner attribute is assigned the DN of the current user (as authenticated by ldaphostmgr). Refer to Security Considerations for additional information. On ADS, the owner information is stored in the managedBy attribute.
If you specify the ! option, the specified key(s) is(are) removed from the host entry in the directory server. The actual keys on the host are not removed. If you specify the ? option, the key(s) on the host are validated against those found in the representative directory entry for the specified host. This option is usually used on the local host, so that the owner can verify that host key integrity as represented by the directory server.
by ldaphostmgr to modify the remote keys. This means that when the LDAP credentials are specified (through the prompt or LDAP_BINDDN), they must also represent a POSIX account, such that a remote login to that host can be performed by ldaphostmgr using that identity. The -k option is not supported with ADS. -e days-to-expire To keep track of when keys were originally generated, ldaphostmgr adds a unique management-string to the comment field of the public key.
ldapschema(1M) manpage and the /etc/opt/ldapux/schema/ ldapux50.xml file provided. -x domain Short, conventional, name of the domain. This option pecifie the value for the entityDomain attribute. Only one domain can be specified. If ! alone is specified, or is specified at the beginning of the domain, the domain is removed. On ADS, this value is not used because the location of the host is implied by its location in the directory tree.
-D DN, or host_name Specifies the host DN or POSIX host name for which to apply the operation. Specifying either -D DN, or host_name is required, even if the intent is to manage data for the local host. Specify the host's true full or short name when using host_name. Do not specifylocalhost when attempting to modify the local host. If host_name is specified, it is positional-dependent on the ldaphostmgr command line and should be placed after all the command options.
configured LDAP-UX authentication method. If the neither of the above mentioned environment variables were specified, then ldaphostmgr determines if the configured credential type is “proxy” and, if so, attempts to bind to the directory server using the configured LDAP-UX proxy credential. If configured, the acred proxy credential is used for administrative users (determined if the user running ldaphostmgr has enough privilege to read the /etc/opt/ldapux/acred file).
When the attr=value parameter is used to modify an existing attribute, the ldaphostmgr command also uses the LDAP replace operation. The replace operation will remove all occurrences of the specified attribute for an entry and replace it with the value specified. If there are multiple values for a single attribute in an entry, the use of a single attr=value parameter will replace all values with the single value specified on the command line.
7.3.8.8 External Influences 7.3.8.8.1 Environment Variables The ladpahostmgr tool supports the following environment variables: LDAP_HOSTCRED When used in combination with the -PW option, LDAP_HOSTCRED specifies the proxy password of the newly created host. Also, if the ldapux(5) attributed mapping for the userPassword attribute has not been defined or set to “*NULL*”, ldaphostmgr creates new passwords in the userPassword attribute.
• • • Uses the existing ldapux(5) configuration, requiring only a minimal number of command-line options to discover where to search for host information, such as what directory server(s) to contact and proper search filters for finding accounts and groups. Provides command options to let you change these configuration parameters. Uses the existing ldapux(5) authentication configuration to determine how to bind to the LDAP directory server. Supports attribute mapping as configured by ldapux(5).
-P Prompts for the user’s bind DN and password. Without -P, ldaphostlist attempts to bind to the directory server using the environment variables LDAP_BINDDN and LDAP_BINDCRED. Or if those were not specified, the bind will be anonymous or as the LDAP-UX proxy user, if configured. -Z Requires an SSL connection to the directory server, even if the ldapux(5) configuration does not require the use of SSL. Use of -Z requires that either a valid server or CA certificate be defined in the /etc/opt/ldapux/cert8.
profile or specified using -b) that are of the groupOfNames, or groupOfUniqueNames object class and have the specified groupname. ldaphostlist enumerates the members of the specified group, searching for members that are hosts, and then displays those entries. The -f or -F option can be used to further narrow the list of returned host entries. Note that the -n and -m options are mutually exclusive -b base Overrides the search base as defined in the ldapux(5) configuration.
Then the actual search filter used by ldaphostlist would be: (&(objectclass=ipHost)(hostName=myhost)) Notes: • • • -F filter When -f is used and any of the attributes specified in the search filter have been mapped to “*NULL*”, ldaphostlist returns an error. Attributes that are not part of the LDAP-UX configuration profile mapping for the host service are not modified. Refer to RFC2307: An Approach for Using LDAP as a Network Information Service for the list of attributes that may be mapped.
expiration. Use of -k is only recommended if the user performing the search request is not subject to directory server search-size limits, since ldaphostmgr must retrieve each entry to determine its keyage meets the specified criteria. If -k is specified, but none of the -n, -g, -f, nor -F options are specified, then only hosts that have sshPublicKey attributes are displayed. keyage is optional.
Note that when the -m option is specified, the output format changes to the following: dn: dn1 field1[attribute1]: value1 field2[attribute2]: value2 field3[attribute3]:: base64-encodeded-value3 … 7.3.9.4 Special Considerations for Output Format UTF8 Since LDAP directories require data to be stored according to the UTF-8 (RFC3629) character encoding method, all characters displayed by ldaphostlist are UTF-8, and assumed to be part of the ISO-10646 character set.
NOTE: To prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password cannot be specified as command-line options to the ldaphostlist utility. 7.3.9.6 Errors and Warnings Upon exit, ldaphostlist returns a 0 (zero) exit status if no errors or warnings were encountered. If ldaphostlist encounters an error or warning; a nonzero exit status is returned, and one or more messages are logged to stderr.
of the user’s credentials, and therefore eliminates the need to specify the LDAP_BINDDN and LDAP_BINDCRED environment variables. ldaphostlist only displays attributes for hosts for which the user has sufficient privilege to view. By default, (if neither the -P option nor the environment variables have been specified), ldaphostlist binds to the directory server anonymously, or uses the proxy user’s credentials if configured.
7.3.10 ldapcfinfo tool Use the ldapcfinfo tool to discover LDAP-UX configuration information about the LDAP-UX product. The ldapcfinfo tool can also be used to discover the list of required attributes when creating new users or groups to an LDAP directory server. Non-interactive LDAP applications can use this tool to find LDAP-UX configuration details when adding new users or groups. The ldapcfinfo tool can also report if LDAP-UX is properly configured and active for the specified service. 7.3.10.
are a static known list and are required, only non-POSIX attributes are displayed. -T Specifies the LDIF template file to be used to create new user or group entries. The parameter can be either a full or relative path name or a short name. A short name is defined as the distinguishing portion of the template file name.
on the same line, separated by a white space. Attribute and objectclass names are case-insensitive. The [atobName] can be specified multiple times in a comma separated list. No white space should is allowed in the list. -a Displays the recommended list of attributes that an interactive management tool considers making available for modification for the specified entry. In order for this operation to function properly, you must specify the -t option with the-a option. -h Displays help text. 7.3.10.
Table 7-9 Return codes for ldapcfinfo (continued) CFI_NOACRED LDAP-UX administrator credential file does not exist. CFI_NOACRED_PERM Insufficient permissions to read the LDAP-UX administrator credential file. CFI_ACRED_INVALID LDAP-UX administrator credential file contains invalid credentials. CFI_ACRED_GOOD LDAP-UX administrator credential file valid. CFI_NO_CF_CONFIG The /etc/opt/ldapux/ldapug.conf file is missing. CFI_READCONFIG Unable to read the /etc/opt/ldapux/ldapug.conf file.
The following command displays the LDAP-UX default search base for the group name service. In this example, “ou=Groups,” has been configured as the search base for the group name service. ./ldapcfinfo -t group -b The output of the command is as follows ou=Groups,ou=org,dc=example,dc=com The following command displays the location of the LDAP-UX configuration profile: ./ldapcfinfo -P The output of the command is as follows: dn: cn=ldapux-profile,ou=org,dc=example,dc=com host: 55.2.22.
loginshell homedirectory gecos description 7.
7.4 LDAP directory tools This section briefly describes the ldapentry, ldappasswd, ldapsearch, ldapmodify and ldapdelete. For detailed information about ldapsearch, ldapmodify, and ldapdelete, see the HP-UX Directory Server administrator guide available at the following website: http://www.hp.com/go/hpux-security-docs Click HP-UX Directory Server. 7.4.1 ldapentry ldapentry is a script tool that simplifies the task of adding, modifying and deleting entries in a Directory Server.
7.4.1.1 Syntax ldapentry - [options] where -a Adds a new entry to the directory. -m Modifies an existing entry in the directory. -d Deletes an existing entry in the directory. options -f Forces command execution with warning override. -v Displays verbose information. -b Specifies the DN of the search/insert base which defines where ldapentry starts the search/insert for the entry. This option is optional if the LDAP_BASED variable is set.
NOTE: Although the ldapentry tool will allow the users to modify any information on the EDITOR window, the directory server has the final decision on accepting the modification. If the user makes an invalid LDIF syntax, violates the directory's schema or does not have the priviledge to perform the modificaiton, the ldapentry tool will report the error after the EDITOR window is closed when it tries to update the directory server with the information.
7.4.3 ldapsearch You use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. For detailed information, see the HP-UX Directory Server configuration, command, and file reference available at the following website: http://www.hp.
7.4.4 ldapmodify You use the ldapmodify command-line utility to add or modify entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and adds or modifies the entries based on the LDIF update statements contained in a specified file. Because ldapmodify uses LDIF update statements, ldapmodify can do everything ldapdelete can do.
7.4.5 ldapdelete You use the ldapdelete command-line utility to delete entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, and deletes the entry or entries. For details, see the HP-UX Directory Server administrator guide available at the following website: http://www.hp.com/go/hpux-security-docs Click HP-UX Directory Server. 7.4.5.
7.5 Schema extension utility 7.5.1 Overview A directory schema is a collection of attribute type definitions, object class definitions and other information supported by a directory server. Schema controls the type of data that can be stored in a directory server. Although there are some recommended schemas that came originally from the X.500 standards, mostly for representing individuals and organizations, there is no universal schema standard in place for every possible application.
with printer, public key and automount schemas. For Windows Active Directory Server, you will continue to run the setup tool to extend the directory server with the automount schema. 7.5.2.1 Operations performed by the schema extension utility The schema extension utility, ldapschema, supports the following two modes of operation: 1.
If you choose to use the ldapschema tool with the directory server other than HP-UX Directory Server or Redhat Directory Server or Windows Active Directory Server, and the LDAP directory server doesn't provide a list of supported matching rules and syntaxes as part of the directory server schema search. Then, you need to define your own supported matching rules and syntaxes file.
7.5.3 ldapschema (schema extension) tool The ldapschema utility allows schema developers to define LDAP schemas using a universal XML syntax, greatly simplifying the ability to support different directory server variations. It can be used to query the current status of the LDAP schema on the LDAP directory server, as well as extend the LDAP directory server schema with new attribute types and object classes.
Table 7-11 Reserved LDAPv3 directory servers (continued) -V ds_version Novell e-Directory Server eDirectory IBM Tivoli Directory Server ibm MAC OS X Directory Server mac Sun One Directory Server sun Computer Associates Directory Server ca iPlanet Directory Server iPlanet The version of the LDAP directory server. The strcasecmp() function compares the version specified by this –V option and the version defined in the XML files the ldapschema utility processes.
-p Specifies the LDAP directory server TCP port number. (Default: 389 for regular connections, 636 for SSL connections.) -D Specifies distinguished name (DN) of an administrator who has permissions to read and modify LDAP directory server schema. -j Specifies an administrator’s password in the file (for simple authentication). -w- Inputs an administrator’s password from the prompt (for simple authentication). -Z Establishes an SSL-encrypted connection.
7.5.3.3 Environment variables The ldapschema utility supports the following environment variables: LDAP_BINDDN The distinguished name (DN) of an administrator who has permissions to read and modify LDAP directory server schema. LDAP_BINCRED The password for the privileged LDAP directory user. LDAP_HOST The host name of the LDAP directory server. The LDAP_HOST variable uses the “hostname:port” format.
7.5.4 Schema definition file The ldapschema utility queries and extends LDAP directory server based on the XML schema definition file. When using the ldapschema tool, the schema argument used with the -q or -e option must correspond to the XML file containing the appropriate schema definition. Several predefined files (such as rfc3712.xml, rfc2256.xml, etc...) are stored in the /etc/ opt/ldapux/schema directory. But the schema definition file can be stored in any directory with any file name.
7.5.4.1 Sample RFC3712.xml file A sample rfc3712.
7.5.4.2 Defining attribute types Each attribute type definition, enclosed by tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one attribute type name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
Optional, use if an attribute type requires indexing. At most one indexed flag can be specified. Optional, use to specify any directory-specific information about the attribute type. See Section 7.5.5 (page 311) for details. 7.5.4.
7.5.4.4 Defining object classes Each object class definition, enclosed by the tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one object class name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
7.5.4.5 Object class definition requirements To add the new schema to the LDAP directory server, each object class definition must meet the following requirements: • • • • • • • • • • The object class definition contains a tag with one numeric id value which adheres to RFC 2252 format specification. The object class definition has at least one tag with the object class name. Each name must adhere to RFC 2252 format specification.
7.5.5 Defining directory-specific information Attribute type and object class definitions can be extended with directory-specific information using the tag. This is useful to maintain a single schema definition file for different types and versions of LDAP directory servers. 7.5.5.
7.5.5.2 Example of defining directory-specific information in the object class definition Directory-specific information can be specified in the object class definitions as well as in optional and mandatory attributes. The following is an example of the object class definition with directory-specific information using the tag and XML attributes, not and only: Line Line Line Line Line Line Line Line Line Line 1: 2: 1.23.456.7.89101112.1.314.1.51.
7.5.6 LDAP directory server definition file To properly install new attribute types in an LDAP directory server schema, the ldapschema utility needs to determine whether the LDAP server supports the matching rules and LDAP syntaxes used by the new attribute type definitions. The ldapschema utility performs an LDAP search for supported matching rules and syntaxes on the LDAP server. However, some types of directory servers do not provide this information as part of the search.
NOTE: Only LDAP syntaxes and matching rules fully supported by the LDAP directory server can be specified in this file. The vendor, versionGreaterOrEqual and versionLessThan attributes can be used to specify directory-specific information. See the /etc/opt/ldapux/schema/schema-ads.xml file for an example of LDAP directory server definition files. 7.5.6.2 Defining matching rules Each tag can contain the following case-sensitive tags, in the order specified: Required.
7.5.7 Mapping unsupported matching rules and LDAP syntaxes If matching rules and/or LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them to alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ ldapux/schema/map-rules.xml file which defines a list of default substitution matching rules and syntaxes, and alternate matching rules and syntaxes.
2.5.5.5 Active Directory IA5 String LDAP Syntax. 22 1.3.6.1.4.1.1466.115.121.1.15 Directory String syntax.
7.5.8 Return values from ldapschema The ldapschema tool returns the following values: The operation is successful. 0 –1 The operation fails. In addition, ldapschema prints to STDOUT the overall status of the schema being queried or extended. Based on the schema status, any combination of the following messages is displayed. Detailed explanations of each message are specified in the square brackets following the message body text. 7.5.8.
If the SCHEMA_INVALID message is not displayed, the schema definition in the file is valid. It partially exists on the LDAP server schema, and can be extended with any remaining new valid attribute type and object class definitions.] SCHEMA_EXISTS No changes to the LDAP server schema are needed. All attribute types and object classes defined in the file are already part of the LDAP directory server schema.
elements defined in the file cannot be added to the LDAP server schema unless the force flag ("-F" option) is specified. [The SCHEMA_MISMATCH message indicates one or more attribute types or object classes defined in the file are already installed on the LDAP directory server, however, their definitions do not match.
ATTRIB_INVALID Attribute type definition is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the file.] ATTRIB_INVALID Attribute type “ ” has an invalid numericoid. Edit the schema definition file to specify an RFC 2252 compliant value for this attribute type.
attribute types, or if it is used as a mandatory or optional attribute in any object classes. Edit the file to correct this discrepancy. ATTRIB_UNRESOLVED Super-type used in "” attribute type definition is not defined in any LDAP schema. [This message indicates the super-type specified with the tag in the given attribute type definition is undefined. Edit the file to correct the name of the super- type in the attribute type definition.
numeric oid or name. If the ldapschema utility is executed in the extend mode, the given attribute type will not be added to the LDAP directory server schema. This message is displayed in verbose mode only.] ATTRIB_MISMATCH Definition of attribute type “” is incompatible with the definition already installed in the LDAP server schema. ATTRIB_REJECTED attribute type “” will not be added to the LDAP server schema because it is already part of the LDAP schema.
Edit the file to correct the name of the super-class in the object class definition. The super-class used in the object class definition must be defined either in the LDAP directory server schema or in the file before this object class can be installed.] OBJECT_UNRESOLVED Mandatory attribute used in the
schema/schema-ds_type.xml file, where ds_type corresponds to the same value specified with the -T option on the command line when executing the ldapschema utility.] RULE_INVALID Matching rule is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the /etc/opt/ldapux/schema/schema-ds_type.
SYNTAX_UNRESOLVED LDAP syntax "” used in the “” attribute type definition is not supported on the LDAP server. LDAP syntax “” will be used instead [This message indicates the specified syntax is not supported on the LDAP directory server. However, it was successfully mapped with a higher level (more inclusive) syntax supported by that server, , as specified in the /etc/ opt/ldapux/schema/map-rules.xml file.
7.6 Name service migration scripts This section describes the shell and perl scripts that can migrate your name service data either from source files or NIS maps to your LDAP directory. These scripts are found in /opt/ldapux/ migrate. The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your source files or NIS maps, while the perl scripts migrate_passwd.pl, migrate_group.pl, migrate_hosts.pl, and so forth, migrate individual maps. The shell scripts call the perl scripts.
NOTE: The scripts use ldapmodify to add entries to your directory. If you are starting with an empty directory, it may be faster for you to use ldif2db or ns-slapd ldif2db with the LDIF file. For details on ldif2db and ns-slapd, see the HP-UX Directory Server configuration, command, and file reference. 7.6.
7.6.3.2 Environment variables When using the perl scripts to migrate individual files, you need to set the following environment variable: LDAP_BASEDN The base distinguished name where you want to put data in the LDAP directory. For example, the following command sets the base DN to "o=hp.com": export LDAP_BASEDN="o=hp.com" 7.6.3.
objectclass: top ipHostNumber: 10.1.2.5 cn: HostA cn: HostA.hp.com 7.
7.7 Unsupported contributed tools and scripts This section describes contributed tools and scripts which are not officially supported by HP at the present time. 7.7.1 beq (search) tool The new beq tool expands the search capability beyond that currently offered by nsquery, which is limited to hosts, passwd, and group. This search utility bypasses the name service switch and queries the backend directly based on the specified library.
pw_shell..........(/usr/bin/sh) pw_audid..........(0) pw_audflg.........(0) Use the following beq command if you are running 64-bit applications on an HP-UX 11i v2 or v3 Integrity server machine: ./beq -k n -s pwd -l /usr/lib/hpux64/libnss_ldap.so.1 iuser1 Use the following beq command if you are running 32-bit applications on an HP-UX 11i v2 or v3 Integrity server machine: ./beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 iuser1 2.
4. An example beq command using group name igrp1 as the search key, grp (group) as the service, and ldap as the library in 32-bit mode on an HP-UX 11i v2 or v3 PA-RISC machine is shown below: ./beq -k n -s grp -l /usr/lib/libnss_ldap.1 igrp1 nss_status .............. NSS_SUCCESS gr_name...........(igrp1) gr_passwd.........(*) gr_gid............(21) pw_age............
7.7.3.1 Syntax uid2dn [UID] where uid is a user's UID information. 7.7.3.2 Examples The following command displays the user's DN information for a given user's UID john: ./uid2dn john The output shows below after you run the above command: CN=john lee,CN=Users,DC=usa,DC=example,DC=hp,DC=com 7.7.4 get_attr_map.pl (get attributemap from profile) tool This tool, found in /opt/ldapux/contrib/bin, gets the attributemap information for a given name service from the profile file /etc/opt/ldapux/ldapux_profile.
8 User tasks This chapter describes tasks pertaining to the management of users. 8.1 Modifying passwords With LDAP-UX Client Services, users change their password with the passwd command. Depending on how you have PAM configured and depending on where the user's information is, in the directory or in /etc/passwd, users may get prompted for their password twice as PAM looks in the configured locations for the user's information.
Figure 8-3 Sample passwd command wrapper #!/usr/bin/ksh # # You can put a default master LDAP server host name # here. Otherwise the local host is the default. # #LDAP_MASTER="masterHostName" if [[ "$1" != "" ]] then LDAP_MASTER="$1" fi if [[ "$LDAP_MASTER" = "" ]] then eval "$(sed -e "1,/Service: NSS/d" /etc/opt/ldapux/ldapux_client.conf | \ grep "^LDAP_HOSTPORT")" LDAP_MASTER="$(echo $LDAP_HOSTPORT | cut -d" " -f 1)" fi LDAP_BASEDN="$(grep -i "^defaultsearchbase:" \ /etc/opt/ldapux/ldapux_profile.
9 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. 9.1 Overview The LDAP-UX Client Services provides Mozilla LDAP C SDK 6.0.5 support. The LDAP C SDK is a Software Development Kit that contains a set of LDAP Application Programming Interfaces (API) to allow you to build LDAP-enabled clients. Mozilla LDAP C SDK 6.0.5 supports IPv6 addressing. The functionality implemented in the SDK closely follows the interface outlined in RFC 2251.
Table 9-1 Mozilla LDAP C SDK file components on the PA-RISC machine (continued) Files Description /usr/include/* Include files from LDAP C SDK /opt/ldapux/contrib/bin/certutil Unsupported command tool that creates and modifies the certificate database files, cert8.db and key3.db /opt/ldapux/contrib/ldapsdk/examples Unsupported LDAP C SDK examples /opt/ldapux/contrib/ldapsdk/source.tar.
Table 9-2 Mozilla LDAP C SDK file components on an Integrity server machine Files Description /usr/lib/hpux32/libldap.so (32-bit ) Main LDAP C SDK API libraries /usr/lib/hpux64/libldap.so (64-bit ) /opt/ldapux/lib/hpux32/libfreebl3.so (32–bit) LDAP C SDK dependency libraries /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.
Table 9-3 (page 340) shows header files that support the LDAP libraries existing under /usr/include, except where noted: Table 9-3 Mozilla LDAP C SDK API header files Header Files Description /usr/include/ldap.h Main LDAP functions, structures and defines. /usr/include/ldap-extension.h Support for LDAP v3 extended operations, controls and other server specific features. This file must be included in source code that uses LDAP v3 extended operations or controls. /usr/include/ldap_ssl.
NOTE: No header files are provided for the legacy LDAP SDK because new applications should be built using the new LDAP SDK 6.0.5. Support for the legacy LDAP SDK will end with a future version of LDAP-UX. The legacy version of the LDAP C SDK does not support IPv6 addressing. If your application needs to support IPv6, be sure to use LDAP C SDK 6.0.5. 9.
10 Support and other resources 10.1 Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
NOTE: ADS. • This feature is not supported when using LDAP-UX Client Services with Windows IPv6 support LDAP-UX OS integration and management tools can now connect to directory servers through IPv6 addressing. • compat mode performance enhancement For organizations that rely on the legacy netgroup /etc/passwd filtering, the compat mode performance enhancement significantly improves performance when numerous and large netgroups are used in the /etc/passwd file for controlling passwd fields.
— ldaphostlist Use the ldaphostlist tool to display and enumerate host entries that reside in an LDAP-based directory server. Although ldaphostlist provides output similar to the ldapsearch command, it satisfies a few specific feature requirements that allow applications to discover and evaluate hosts stored in an LDAP directory server without requiring intimate knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server.
The following and related documents are also available from the same site: • • LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide LDAP-UX Integration B.05.00 Release Notes For more information about LDAP-UX Integration and related products and solutions, visit the following HP website: http://h71028.www7.hp.com/enterprise/us/en/os/hpux11i-security-components.html 10.
A Configuration worksheet Use the worksheet shown in Table A-1 to help you configure LDAP-UX Client Services. See “Installing and configuring LDAP-UX Client Services” (page 21) for details.
B LDAP-UX Client Services object classes This Appendix describes the object classes LDAP-UX Client Services uses for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: 1. posixDUAProfile 2. posixNamingProfile With release B.03.00, the posixDUAProfile and posixNamingProfile object classes have been replaced by a single STRUCTURAL objectclass DUAConfigProfile. In addition, four new attributes are added.
NOTE: The userPassword attribute is mapped to *NULL* to prevent passwords from being returned for increased security and to prevent PAM_UNIX from authenticating users in the LDAP directory. Mapping to *NULL* or any other nonexistent attribute means do not return anything. authenticationMethod bindTimeLimit credentialLevel defaultSearchBase defaultServerList followReferrals preferredServerList profileTTL 350 LDAP-UX Client Services object classes is how the client binds to the directory.
searchTimeLimit serviceSearchDescriptor is how long, in seconds, a client should wait for directory searches before aborting. 0 (zero) means no time limit. If this attribute has no value, the default is no time limit. is one to three custom search descriptors for each service. The format is Service:BaseDN?Scope?(Filter) where Service is one of the supported services passwd, group, shadow, or pam. BaseDN is the base DN at which to start searches.
C Sample /etc/pam.ldap.trusted file configured by setup This appendix provides the sample PAM configuration file, /etc/pam.ldap.trusted generated by setup and used as the /etc/pam.conf file to support the coexistence of LDAP-UX and Trusted Mode. This /etc/pam.ldap.trusted file must be used as the /etc/pam.conf file if your directory server is the HP-UX Directory Server or Redhat Directory Server and your LDAP client is in the Trusted Mode.
rcomds auth required rcomds auth sufficient rcomds auth required sshd auth required sshd auth sufficient sshd auth required OTHER auth sufficient OTHER auth required # Account management # login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account
dtlogin dtlogin dtlogin sshd sshd sshd OTHER OTHER password password password password password password password password required sufficient required required sufficient required sufficient required libpam_hpsec.so.1 libpam_ldap.so.1 libpam_unix.so.1 try_first_pass libpam_hpsec.so.1 libpam_ldap.so.1 libpam_unix.so.1 try_first_pass libpam_ldap.so.1 libpam_unix.so.
D Sample /etc/pam.conf file for security policy enforcement This appendix provides the sample PAM configuration file, /etc/pam.conf file configured to support account and password policy enforcement. In the /etc/pam.conf file, the PAM_AUTHZ library must be configured for the sshd and rcommds services under account management role. The following is a sample PAM configuration file, /etc/pam.conf, used on the HP-UX 11i v2 system.
dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account sufficient ftp account required rcomds account required rcomds account required rcomds account sufficient rcomds account required sshd account required sshd account required sshd account sufficient sshd account required OTHER account sufficient OTHER account required # Session management # login session required login se
E Samples of LDAP-UX configuration files created or modified by autosetup The sections in this appendix provide samples of the configuration files modified or created by the autosetup: • Section E.1: NSS configuration file /etc/nsswitch.conf • Section E.2: PAM configuration file /etc/pam.conf • Section E.3: Startup configuration file /etc/opt/ldapux/ldapux_client.conf • Section E.4: Client daemon configuration file /etc/opt/ldapux/ldapux_client.conf E.
login auth login auth login auth su auth su auth su auth dtlogin auth dtlogin auth dtlogin auth dtaction auth dtaction auth dtaction auth ftp auth ftp auth ftp auth rcomds auth rcomds auth rcomds auth sshd auth sshd auth sshd auth OTHER auth OTHER auth OTHER auth # # Account management # login account login account login account su account su account su account dtlogin account dtlogin account dtlogin account dtaction account dtaction account dtaction account ftp account ftp account ftp account rcomds accoun
E.3 ldapux_client.conf file after autosetup configuration The autosetup script creates the start-up file /etc/opt/ldapux/ldapux_client.conf on the LDAP-UX client system, enabled for TLS support (enable_startTLS is set to 1). The following shows the ldapux_client.conf that is configured by autosetup. LDAP-UX Client Services Configuration File file name: /etc/opt/ldapux/ldapux_client.conf # # # # # # # # # # # # # # # # # # # # # This file contains two sections of information.
# Setting the user password to be returned as any string for the hidden # password could allow users with active accounts on a remote host to # rlogin to the local host on to a disabled account. # #password_as="x" # You can use the following configuration to specify initial Trusted Mode # auditing for LDAP users. "0" will tell LDAP-UX to set initial auditing # to be "off" for all LDAP users logging into this HP-UX client system, "1" # will set initial auditing to be "on".
# initializes the user's group access list. The following configuration # controls if LDAP-UX should return dynamic groups that a user belongs to. # # If "enable_dynamic_getgroupsbymember" is set to 1, which is the default, # LDAP-UX returns both static and dynamic groups that a user belongs to. # As a result, the user has the access right granted to all those groups. # # If "enable_dynamic_getgroupsbymember" is set to 0, LDAP-UX returns only # static groups that a user belongs to.
the directory server to restrict proxy user rights. The following shows the ldapclientd.conf that is configured by autosetup. #!/sbin/sh # @(#) $Revision: 1.12 $ # ldap client daemon configuration. # # Please note, the below keys are case sensitive. # # Example: # # [passwd] # enable=yes # poscache_ttl=600 # negcache_ttl=600 # # Note that "TTLs" (time to live) values are in seconds. # Note that cache sizes are in bytes.
# # Maximum number of bytes that should be cached by ldapclientd. # This value is the maximum upper limit of memory that can be # used by ldapclientd. If this limit is reached, new entries are # not cached, until enough expired entries are freed. # cache_size=10000000 # # A state, a virtual connection between the client and LDAP server, # is created for the setXXent() request, and stays for the subsequent # getXXent() requests.
# enumeration cache. 86400 = one per day. # longterm_enum_search_interval=86400 # #enable=no #longterm_expired_interval=1209600 #longterm_cache_backup_interval=900 #longterm_cache_size=50000000 #longterm_enum_enable=no #longterm_enum_search_interval=86400 [printers] # Define the status of the printer configurator when ldapclientd starts. # Option "yes" means the printer configurator service will be activated # when ldapclientd starts.
Glossary Access Control Instruction A specification controlling access to entries in a directory. Access Control List One or more ACIs. ACI See See Access Control Instruction. Configuration profile An entry in an LDAP directory containing information common to many clients, that allows clients to access user, group and other information in the directory. Clients download the profile from the directory. See also See also Client Configuration File.. DIGEST-MD5 Message Digest version 5.
Start-up file A text file containing information the client needs to access an LDAP directory and download a configuration profile. See also See also Configuration profile.configurationstart-up file ldapux_client.confstart-up file ldapux_client.confldapux_client.conf start-up fileclient start-up file ldapux_client.conf. ypldapd The NIS/LDAP Gateway daemon, part of the NIS/LDAP Gateway subproduct.
Index Symbols C /etc/group, 59, 65 /etc/nsswitch.conf, 63, 69 /etc/nsswitch.ldap, 63, 211 /etc/opt/ldapux/acred, 216 /etc/opt/ldapux/pcred, 216 /etc/pam.conf, 69 /etc/pam.
create profile, 183 create proxy user, 182 create_profile_cache program, 214 create_profile_entry program, 214 create_profile_schema program, 215 credential caching (see offline credential caching) credentialLevel, 183, 184, 350 custom configuration, 73 customized installation, 56 D debugging, 189 default template files, 243 defaultSearchBase, 350 defaultServerList, 350 defining template files, 244 Digest-MD5, 62 directory access log, 190 add replica, 158 bind, 18, 61, 74 configuration, 65 error log, 190 i
planning, 23 summary, 23 L LDAP, 367 LDAP directory, 16, 21 LDAP UG Tool configuration file, 241 LDAP-UX configuration files configured by autosetup, 359 PAM configuration file sample for security policy enforcement, 357 PAM configuration file (trusted) configured by autosetup, 353 LDAP-UX domain access control instruction (ACI), 29 access control list (ACL), 29 administrator, 38 administrator name, 42, 46 configuration profile, 29 directory information tree, 27, 28 information model, 28, 29 name, 46, 52,
PAM_UPDBE library (libpam_updbe) configuring, 110 pam_user.
Transport Layer Security (see SSL) troubleshooting, 189 directory logging, 190 LDAP-UX logging, 189 PAM logging, 189 SSL/TLS ciphers, 82 syslog, 189, 190 user cannot log in, 190 TTL, profile, 71, 350 typographic conventions, 346 U uid, 65, 66, 192 uidnumber, 65, 66, 192 user and group management tools, 219 user cannot log in, 190 user data, 59, 90 base DN, 71 UserAdmins group access control rights within LDAP-UX domain, 34 userpassword, 65 users, 64 access control rights within LDAP-UX domain, 35 V verify
