LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
12. Next, it will prompt you for selecting the authentication method for users to bind/authenticate
to the server. You need to choose the authentication method from one of the following prompts
based on your selection in step 11:
• For TLS, you have a choice between SIMPLE (the default), or SASL/GSSAPI if you choose
to not enable TLS. However, you have a choice between SIMPLE with TLS (the default),
or SASL/GSSAPI with TLS if you choose to enable TLS. Skip to step 13.
• For SSL, you have a choice between SIMPLE (the default), or SASL/GSSAPI if you choose
to not enable SSL. However, you have a choice between SIMPLE with SSL (the default),
or SASL/GSSAPI with SSL if you choose to enable SSL. Skip to step 13.
13. Next, enter the host name and port number of the directory where your account and group
data is, from Appendix A (page 145). You can enter up to three hosts, to be searched in order.
14. Enter the base DN where clients should search for name service data, from Appendix A
(page 145).
15. Enter Yes when prompted to ask if you want to accept the remaining default configuration
parameters.
IMPORTANT: If you choose to accept remaining defaults, the memberUid attribute will be
used to define HP-UX group membership. However, by default, Windows uses the member
attribute to define group membership. If you wish to share HP-UX groups with Windows groups,
supporting attribute mapping for dynamic groups or X.500 group membership services, select
No (do not accept remaining defaults) and modify the group service and change the
memberUid mapping to the member attribute.
16. Next, if you do not use SASL/GSSAPI authentication, skip this step and go to step 19.
Otherwise, it will prompt you for setting up principals used for SASL/GSSAPI authentication
as below:
There are two ways to set up principals used for SASL/GSSAPI
authentication for LDAP-UX name service proxy authentication:
* Host or service principal defined in a keytab file (such as
/etc/krb5.keytab)
* Proxy principal defined in LDAP-UX proxy credential file
(/etc/opt/ldapux/pcred)
The principal defined in a keytab file can be shared among
several services, such as Kerberized Interface Service or
LDAP-UX using the host principal for authentication. The
LDAP-UX proxy principal is used solely for LDAP-UX.
It will prompt you for selecting the type of principal. Enter H if you wish to use a host/service
principal. Enter P if you wish to use a proxy principal. By default, the host or service principal
is used.
17. Next, it will prompt you for entering the path to the Kerberos keytab file. Enter the keytab file
if you want to specify the keytab file to be used. If no file is specified, LDAP-UX will use the
default keytab file configured in /etc/krb5.conf using "default_keytab_name". If
there is no default keytab file configured in /etc/krb5.conf, then the keytab file
/etc/krb5.keytab will be used.
18. Next, it will prompt you for specifying an alternate principal name. If you do not want to use
the default principal name, enter an alternate principal name. For example,
host/hpntc20.cup.hp.com@CUP.HP.COM.
LDAP-UX uses ldapux/<FQHN>@<REALM> as the default service principal. If it does not exist,
the host/<FQHN>@<REALM> in the keytable file is the principal to be used.FQHN stands
for Fully Qualified Host Name.
19. For Active Directory, you must set access to the directory by proxy user because anonymous
binding does not grant enough access right to an Active Directory. Enter the DN and password
of your proxy user from Appendix A (page 145).
40 Installing LDAP-UX Client Services