LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

100

specified, the realm information is retrieved from /etc/krb5.conf. The credential (password)

is the same one used to create the user principal in the KDC.

6.3.2.2 Service/host principal

A Kerberos keytab file contains service or host principals and associated keys information. Users

can choose to bind using the service or host keys. The keytab file may contain multiple principals

and keys. Users may configure which service key to use. For example, the following

/etc/krb5.keytab file contains two principal:

$ klist -k

Keytab name: FILE:/etc/krb5.keytab

Principal

--------------------------------------------

1 ldapux/hpntc10.cup.hp.com@HP.COM

1 host/hpntc10.cup.hp.com@HP.COM

6.3.2.3 Configuring a principal as the proxy user

The following describes three different ways to configure a principal as the proxy user:

• Configure a user principal:

Use ldap_proxy_config -i or "-d and -c" to enter a Kerbers user principal and its credential

(i.e. password).

The following is an example to use ldap_proxy_config -i command with proxy user

without the realm information proxyusr and password proxywd:

cd /opt/ldapux/config

./ldap_proxy_config -i

proxyusr

proxywd

The following is an example to use ldap_proxy_config -d -c command to create a

proxy user with the realm information john@CUP.HP.COM and the proxy user credential

proxycrd:

cd /opt/ldapux/config

./ldap_proxy_config -d john@CUP.HP.COM -c proxycrd

• Configure a service or host principal:

Use ldap_proxy_config -i or -d to specify the service or host principal with or without entering

a password. If the password is provided, LDAP-UX will retrieve the password information from

/etc/opt/ldapux/pcred file. When no password is specified, LDAP-UX Client Services

assume the proxy user is a service or host principal and retrieve the credential information

from the keytab file.

The following is an example to use ldap_proxy_config -i command to create a host

principal hpntcA.cup.hp.com:

cd /opt/ldapux/cinfig

./ldap_proxy_config -i host/hpntcA.cup.hp.com@HP.COM

• Use only the keytab file without configuring proxy:

With this method, the old pcred file must be deleted if there is one. LDAP-UX Client Services

uses ldapux/<FQHN>@<REALM> as the default service principal. If it does not exist, the

host/<FQHN>@<REALM> in the keytable file is the principal to be used. FQHN stands for

Fully Qualified Host Name.

The principal defined in a keytab file can be shared among several services, such as Kerberized

Interface Service or LDAP-UX using the host principal for authentication. The LDAP-UX proxy principal

is used solely for LDAP-UX.

6.3 SASL/GSSAPI support 97