LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
• Do you want to use SSL or TLS for secure communication between LDAP clients and the
Windows 2003 R2/2008 Active Directory Server?
The LDAP-UX Client Services supports SSL or TLS with password as the credential, using either
simple or SASL/GSSAPI authentication (SASL/GSSAPI is available for the Windows 2003
R2/2008 Active Directory Server only) to ensure confidentiality and data integrity between
the clients and servers. StartTLS is a new extension operation of TLS (Transport Layer Security)
protocol. You can utilize the startTLS operation to set TLS secure communication over an
un-encrypted ( a regular) LDAP port. The secure connection can also be established on an
encrypted LDAP port when using SSL. By default, SSL and TLS are disabled. For detailed
information, refer to Section 2.4.6 (page 48).
• What authentication method will you use when you choose to enable TLS?
You have a choice between SIMPLE (the default), or SASL/GSSAPI with TLS.
LDAP-UX Client Services includes support for the SASL Generic Security Services Application
Programming Interface (GSSAPI) authentication method using Kerberos v5. Currently, Kerberos
v5 is the only security mechanism that is implemented to work with GSSAPI. For this release,
we only provide SASL/GSSAPI authentication method support for Microsoft Windows 2003
R2/2008 Active Directory. SASL/GSSAPI authentication is only for proxy user authentication
for the name service subsystem. Host, service or other principles may be used for the LDAP-UX
proxy identity. For detailed information on SASL/GSSAPI support, see Section 6.3 (page 96).
• What authentication method will you use when you choose to enable SSL?
You have a choice between SIMPLE (the default), or SASL/GSSAPI with SSL.
• What authentication method will you use when you choose to not enable SSL or TLS?
You have a choice between SIMPLE (the default), or SASL/GSSAPI.
• Do you want to specify the keytab file when you use SASL/GSSAPI authentication.
LDAP-UX Client Services allows you to specify the keytab file when you use the SASL/GSSAPI
authentication. You can run the setup program to specify the keytab file. If no file is specified,
LDAP-UX will use the default keytab file configured in /etc/krb5.conf using
default_keytab_name. If there is no default keytab file configured in /etc/krb5.conf,
then the keytab file /etc/krb5.keytab file is used.
• Do you want to store and manage automount maps in the directory server? If so, the setup
program can be used to import the new automount schema into your directory server.
LDAP-UX Client Services B.04.10 and latersupports the automount service under the AutoFS
subsystem. This feature allows you to store or retrieve automount maps in or from a directory
server. LDAP-UX Client Services supports the new automount schema based on RFC 2307-bis.
The setup program will import the new automount schema into your Directory Server.
For the detailed information about AutoFS with LDAP support, see “Configuring AutoFS support”
(page 55).
• What name services will you use? How will you set up /etc/nsswitch.conf? What order
do you want NSS to try services?
NSS is the Name Service Switch, providing naming services for user names, group names,
and other information. You can configure NSS to use files, LDAP, or NIS in any order and
with different parameters. Refer to /etc/nsswitch.ldap for an example nsswitch.conf
file using files and LDAP. For more information, see the nsswitch.conf(4) manpage and
"Configuring the Name Service Switch" in NFS Services Administrator's Guide at:
http://www.hp.com/go/hpux-core-docs (Click HP-UX 11i v3).
It is recommended you use files first, followed by LDAP for passwd, group and other supported
name services. With this configuration, NSS will first check files, then check the directory if
32 Installing LDAP-UX Client Services