LDAP-UX Client Services B.05.00 Administrator's Guide

NOTE: If you are planning a first-time deployment of managing user and group data in the
directory server, HP suggests that you devise a strategy to avoid UID number and GID number
overlap. Most likely, you will need to continue managing some accounts that are local to the
hosts in the LDAP-UX domain. Often the root user, and sometimes application accounts (such
as www for the httpd process) remain managed in the local /etc/passwd file. Devise a
convention establishing a range for UID numbers and one for GID numbers such that accounts
and groups in LDAP do not conflict with those on the local hosts. For example, accounts in LDAP
could all have UID numbers greater than 1000, while accounts on local hosts would be restricted
to UID numbers less than 1000.
For information about ensuring that user and group numbers to be migrated or imported into
a new directory server do not collide with the ones created by the guided installation, see
Section 2.5.1.1 (page 90).
NOTE: When configuring and setting up LDAP-UX, you will likely be prompted for credentials
of an administrator. If you are asked to enter the credentials (password) of a user, make sure
that the connection between your client and the HP-UX system (where you are running
autosetup) is secured and not subject to network eavesdropping. One option to protect such
communication may be to use the ssh protocol when connecting to the HP-UX host being
configured.
2.3.6.1 Interactively running New Directory Server Installation mode
To interactively install LDAP-UX and create a new HP-UX Directory Server for your LDAP-UX
environment, follow these steps. Before you begin, make sure you have installed the HP-UX
Directory Server product on the local host.
1. Log in as root and run the autosetup command, as shown in the following example:
# /opt/ldapux/config/autosetup
2. The script detects whether a registered LDAP-protocol directory server instance exists in
the local DNS domain. You are creating a new LDAP-UX environment that needs a new
directory server, so a directory server is not found, as indicated. The first prompt gives you
several options. To run the installation so that it sets up a new directory server, press Return,
as shown:
Scanning DNS domain west.acme.com for any registered LDAP directory servers
- No directory servers found.
Please enter the host name and port number of a directory server,
a Windows domain name, or press Return to create a new directory
server on this host: Return
3. The script begins creating a new directory server instance on the local host. It creates the
Directory Manager root DN as cn=Directory Manager and prompts you to create a
password and to re-enter the password to confirm (the password is hidden):
The directory server requires a "super-user" ID. This ID has all
privileges (is not subject to any access control) on the directory server
and the name is set as "cn=Directory Manager". Please enter a password
for this user.
Please enter the "cn=Directory Manager" password: [password not displayed] Return
Please re-enter the "cn=Directory Manager" password: [password not displayed] Return
As indicated, the Directory Manager has all privileges and is not subject to directory server
access control policies. The Directory Manager is a unique, powerful entry that is typically
used to repair and recover from errors in the configuration. The Directory Manager can
correct problems that affect users who do not have access control privileges for doing so.
There is no directory entry for the Directory Manager user; it is used only for authentication.
2.3 Guided installation (autosetup) 45