LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
directory server in your environment or asked if you wish to create a new directory server
instance on the local host.
2. To guarantee confidentiality and data integrity, autosetup uses the StartTLS extended
operation on a regular LDAP connection with simple authentication (bind DN and password).
3. To trust the certificate presented by the server, autosetup determines whether the local HP-UX
host has a certificate database that includes the Certificate Authority (CA) certificate that issues
the server certificate.
4. If the CA certificate has not already been pre-installed, to create certificate and key database
files (cert8.db and key3.db), autosetup obtains the server certificate from the Active
Directory Server, and then downloads all the trusted CA certificates from the NTAuth store in
the Active Directory Server. The autosetup script places in the cert8.db database file the
one CA certificate that signed the SSL server certificate of the directory server. The cert8.db
file stores public keys, while the key3.db file stores private keys. A warning message will
be displayed to indicate that an un-trusted method is being used to obtain the CA certificate.
5. Because a configuration profile can be shared by LDAP-UX clients, autosetup checks for
an existing profile entry in the Active Directory Server, using a standard profile path
(cn=ldapuxprofile,cn=system,dc=...). If the default profile entry exists, autosetup
downloads it into an LDIF file (/etc/opt/ldapux/ldapux_profile.ldif) and creates
a binary profile file (/etc/opt/ldapux/ldapux_profile.bin) based on the LDIF file.
6. If the default profile entry does not exist, autosetup checks for any other profile entries that
might be saved. If any are found, you are prompted to select a configuration profile to
download or to create a default profile entry.
7. Before adding the profile entry, autosetup determines whether the schema defined in RFC
4876 exists in the Active Directory Server. If the schema does not exist, then the script extends
the Active Directory Server schema.
8. Creates the start-up file (/etc/opt/ldapux/ldapux_client.conf) on the LDAP-UX client
system, enabled for TLS support (enable_startTLS is set to 1).
9. Creates a new computer account/host entry in the directory server that represents the current
HP-UX host. If a host entry already exists with the same name, an autosetup prompt asks
if the existing entry should be deleted and replaced. In addition, the autosetup script maps
the Kerberos principal name to the computer account, sets the host principal password, and
creates a keytab file. If necessary, the script merges the keytab file with an existing keytab
file (/etc/krb5.keytab).
10. Configures the local host as a Kerberos client of the Active Directory Server by modifying an
existing Kerberos configuration file /etc/krb5.conf, or if one does not already exist, by
creating a new one.
11. Configures the host principal as a proxy user. It stores the encrypted proxy user information
in the /etc/opt/ldapux/pcred file. The proxy file contains two lines, the proxy user DN
on the first line, and the password on the second line.
12. Configures the NSS and PAM Kerberos by modifying the /etc/pam.conf and /etc/
nsswitch.conf files.
13. Modifies /etc/opt/ldapux/ldapuxclientd.conf to:
• Enable the LDAP-UX client daemon ldapclientd to launch automatically whenever the
system is rebooted ([StartOnBoot] is defined with enable=yes).
• Set iproxy_is_restricted=yes in the [general] section, which indicates that the
entry created in step 9 is not privileged. This setting enables additional capabilities
provided by the ldapuglist and ldaphostlist tools.
14. Starts the LDAP-UX client daemon (ldapclientd) and the central configuration service
daemon (ldapconfd).
2.3 Guided installation (autosetup) 17