Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
41424344454647484950
The default is to allow all users stored in the directory to log in. To disallow specific users to log
in to a local system, you can configure the disable_uid_range flag in /etc/opt/ldapux/
ldapux_client.conf file, as described in Section 2.5.4.1 (page 60).
2.4.6 Configuring the LDAP-UX Client Services with SSL or TLS support
The LDAP-UX Client Services supports either SSL (Secure Socket Layer) or TLS (Transport Layer
Security) to secure communication between LDAP clients and the Active Directory Servers.
With SSL, an encrypted connection can be established on an encrypted port, 636. The LDAP-UX
Client Services supports SSL with password as the credential, using either simple bind or
SASL/GSSAPI authentication to ensure confidentiality and data integrity between clients and
servers. In addition, SSL/TLS can be used to validate the identity of the Windows Active Directory
Server if the privacy of the server’s and CA’s private keys can be assured. The domain administrator
can choose the authentication mechanism.
The LDAP-UX Client Services supports SSL communication with Microsoft Windows 2003 R2 and
2008 Active Directory Server (ADS), and HP-UX Directory Server 8.1 (or later), and Red Hat
Directory Server 8.0. For detailed information about how to enable SSL communication over LDAP
for your Windows Active Directory Server, see the Microsoft Knowledge Base Article at:
http://support.microsoft.com/kb/321051
Starting with LDAP-UX Client Services B.04.10, the product supports a new extension operation
of TLS protocol called startTLS to secure communication between LDAP clients and the Windows
Active Directory Server. An encrypted session can be established on an un-encrypted port, 389.
If an encrypted port is used, it will fail to establish the secure connection. The TLS protocol provides
administrators better flexibility for using TLS in their environment by allowing the use of an
un-encrypted LDAP port for communication between the clients and the server. LDAP-UX supports
TLS with password as the credential, using either simple bind or SASL/GSSAPI authentication to
ensure confidentiality and data integrity between clients and servers.
The LDAP-UX Client Services supports TLS communication with Microsoft Windows 2003 R2/2008
Active Directory Server (ADS), HP-UX Directory Server 8.1 (or later), and Red Hat Directory Server
8.0.
2.4.6.1 Configuration parameters
LDAP-UX Client Services provides the following parameter in the /etc/opt/ldapux/
ldapux_client.conf file to support TLS.
enable_startTLS This integer variable controls whether the TLS feature is enabled or
disabled. The valid values of this parameter are 1 and 0. If you choose
to enable TLS, set this parameter to 1. To disable TLS, set this variable to
0. By default, TLS is disabled. If the enable_startTLS parameter is undefined
or does not exist, it is processed as the TLS feature is disabled.
If you want to use SSL or TLS, you must perform the following tasks before you run the setup program:
Ensure to have the certificate database files, cert8.db and key3.db, on your client system.
See Section 2.4.6.2 (page 48)for details.
If you choose to enable TLS, set the enable_startTLS parameter to 1 in the
/etc/opt/ldapux/lldapux_client.conf file. To use SSL, set enable_startTLS to 0. By default,
TLS is disabled.
2.4.6.2 Configuring the LDAP-UX Client to use SSL or TLS
You can choose to enable SSL or TLS with LDAP-UX when you run the setup program. If you want
to use SSL or TLS, you must install the Certificate Authority (CA) certificate on your LDAP-UX Client
and configure your directory server to support SSL or TLS before you run the setup program.
48 Installing LDAP-UX Client Services