Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
21222324252627282930
but you must write your own scripts or use other tools to merge the data into your directory.
PosixAccount attributes can be added to your users already in the directory to leverage your
existing directory data.
For information about importing information into the directory, refer to Section 2.5.1 (page 52).
For information on migration scripts, refer to the “Command and tool reference” chapter of
the LDAP-UX Client Services Administrator's Guide.
CAUTION: If you place a root login (any account with UID number 0) in the directory server,
that user and password will be able to log in as root to any client using LDAP-UX Client
Services. Keeping the root user in /etc/passwd on each client system allows the root user
to be managed locally. This can be especially useful when the network is down, because it
allows local access to the system when access to the directory server is unavailable.
It is not recommended that you put the same users both in /etc/passwd and in the directory.
This could lead to conflicts and unexpected behavior.
NOTE: If you are planning a first-time deployment of managing user and group data in the
directory server, HP suggests that you devise a strategy to avoid UID number and GID number
overlap. Most likely, you will need to continue managing some accounts local to the hosts.
Often the root user, and sometimes application accounts (such as www for the httpd process)
remain managed in the local /etc/passwd file. Devise a convention establishing a range
for UID numbers and one for GID numbers such that accounts and groups in LDAP do not
conflict with those on local hosts. For example, accounts in LDAP could all have UID numbers
greater than 1000, while accounts on local hosts would be restricted to UID numbers less than
1000.
For information about ensuring that user and group numbers to be migrated or imported into
a directory server do not collide with the ones already used on the HP-UX host, see
Section 2.5.1.1 (page 53).
How many profiles do you need?
If you use ADS multiple domains, refer to “Active Directory multiple domains” (page 64) for
more information about configuring remote domains.
If ADS multiple domains are not used, refer to the following information.
A configuration profile is a directory entry that contains configuration information shared by
a group of clients. The profile contains the information clients need to access user and group
data in the directory. For example, this information includes:
Your directory server hosts.
Where your supported name service data is in the directory.
Other configuration parameters such as search time limits.
If these parameters are the same for all your clients, you need only one profile. You will need
at least one profile per Active Directory Domain Controller. In general, it is a good idea to
have as few profiles as necessary to simplify maintenance. Refer to Appendix B (page 146) to
decide how many different profiles you need.
If you are familiar with NIS, one possibility is to create a separate profile for each NIS domain.
Where will you put your profile in your directory?
The profile contains directory access information, specifying how and where clients can find
user and group data in the directory. You can put the profile with your user data, or in a
separate configuration area. HP-UX hosts must have access to the profile and the user, as well
as the group data. Figure 5 shows a configuration profile DN of CN=profile data,
30 Installing LDAP-UX Client Services