LDAP-UX Client Services B.05.00 Administrator's Guide
A sample of the ldapclientd.conf file is included in Section E.4 (page 363).
14. Starts the LDAP-UX client daemon (ldapclientd) and the central configuration service
daemon (ldapconfd).
2.3.2 Principles of the LDAP-UX domain
When used for installing LDAP-UX in a non-Windows environment for the first time, the guided
installation defines the management framework for, and actually creates, an LDAP-UX domain.
An LDAP-UX domain is a collection of users, groups and hosts that can be managed in the LDAP
directory server, using the user and host management tools described elsewhere in this document
(see Section 5.6 (page 174)).
NOTE: This section does not apply to guided installations of LDAP-UX into a Windows ADS
domain. An LDAP-UX domain is not a Windows domain. A Windows ADS domain already
defines a directory information tree, information model, and security policy. The LDAP-UX
domain defines similar elements.
An LDAP-UX domain is defined by an LDAP-UX configuration profile. All hosts configured to
point to the same LDAP-UX configuration profile are considered part of that same domain. The
configuration profile follows the standard defined by RFC 4876; as such, it can be used to define
the same domain for platforms aside from HP-UX. (For more information about configuring the
profile, see Section 5.12 (page 183).) While the guided installation defines this configuration profile
automatically, any configuration profile can be considered the basis of an LDAP-UX domain.
The guided installation uses the host management tools to automatically provision into the
directory server any relevant information about HP-UX hosts contained in the domain. Creating
host entries in the directory server serves at least two purposes:
• As part of the secured framework described in Section 2.3.2.3 (page 33), the guided
installation assures that data is protected from anonymous access (anonymous access is
defined when a new HP-UX Directory Server instance is created.) Directory server data is
available only to known clients. When the OS is acting on behalf of its users, it needs a proxy
identity to represent the users of the host. The host entry is used to represent that proxy
identity.
• As part of the new ssh key management feature, when the guided installation creates the
new host entry it also uploads the host’s ssh public keys. This simplifies management of ssh
keys in the directory server. With HP Secure Shell A.05.50 or higher, the host entry can be
used to assure trust between hosts managed in the domain. For more information about
managing ssh key management, see “Managing ssh host keys with LDAP-UX” (page 193).
To assure that the LDAP directory server can be trusted as a secure repository for host users and
groups, the identity of the directory server must be validated. Being SSL-enabled (as is required),
the directory server can provide that validation with SSL certificates. In addition, through SSL
encryption, it can assure that private information such as user passwords are not intercepted
while they are in transit.
NOTE: SSL/TLS protocols support a variety of different cryptographic algorithms (ciphers) for
use in authentication operations between server and client, certificate transmissions, and session
key establishment. If a cipher is found to be flawed and subject to attack, administrators of HP-UX
and the directory server would need to know about their vulnerability. Ciphers can be disbled
in the directory server. For information about SSL/TLS ciphers and which ones are supported
by LDAP-UX, see Section 2.4.6.3 (page 82).
When a new directory server instance is created, the guided installation defines the management
framework for the LDAP-UX domain. This framework consists of the following major components:
• Directory information tree (DIT): Defines the hierarchical structure in which different
objects in the domain are stored, as described in Section 2.3.2.1 (page 28).
2.3 Guided installation (autosetup) 27