Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
HP-UX machine to create /etc/krb5.keytab. Refer to Appendix D (page 156) for more
information.
This is one way to configure an HP-UX Kerberos client to communicate with multiple KDCs.
For other possibilities using cross-realm authentication, refer to the [capaths] section of the
krb5.conf manpage (that is: man krb5.conf).
The guided installation available with B.05.00 will take care of Kerberos integration between
HP-UX and Windows.
2.4.4.5 Step 5: Add POSIX attributes into the global catalog
The GCS is the domain controller which hosts the global catalog for a forest. The global catalog
contains partial information of each domain in the forest. If you want LDAP-UX Client Services to
query GCS to decide which domain a queried data belongs to, then add the following POSIX
attributes into the global catalog:
For Windows 2003 R2 and Windows 2008 RFC 2307
uid
uidnumber
gidnumber
For detailed information on how to perform this task, refer to Section 3.6.6 (page 68).
For information on how LDAP-UX Client Services retrieves data from remote domains, refer to
“Active Directory multiple domains” (page 64).
2.4.5 Configuring LDAP-UX Client Services
To configure the LDAP-UX Client Services, complete the steps in this section.
If you attempt to enable SSL or TLS support with LDAP-UX, you must configure the directory server
to support SSL or TLS and install the security database (cert8.db and key3.db) on your client
before you run the setup program. For SSL or TLS setup details, refer to Section 2.4.6 (page 48).
2.4.5.1 Step 1: Install the PAM Kerberos product
LDAP-UX Client Services with Active Directory uses the Kerberos Authentication method. If not
already available on your system, you will need to install and configure PAM Kerberos. Some
instructions for doing this are shown later in this step. Additional information can be found in the
Configuration Guide for Kerberos Products on HP-UX, available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
To support integration with Active Directory Server, a specific version of the PAM-Kerberos product
is required. For information about version support and required patches, see the section titled
“Kerberos support on HP-UX 11i v2 or v3” in the LDAP-UX Integration B.05.00 Release Notes.
If you wish to also use SASL/GSSAPI for proxied authentication, see the LDAP-UX Integration
B.05.00 Release Notes for the version of Kerberos Client and any patches that are required. You
need to add ipnodes service information in the /etc/nsswitch.conf file as follows:
ipnodes: dns files.
NOTE: For more information, see the Kerberos Client Release Notes available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
Both "PAM Kerberos" (J5849AA) and "Kerberos Client" (KRB5CLIENT) products can be downloaded
from:
http://software.hp.com
They are available at the following specific locations:
2.4 Customized installation (setup) 37