Manualshelf

LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
919293949596979899100
6.3.3 Keytab file
LDAP-UX allows you to specify the keytab file when you use the SASL/GSSAPI authentication. Run
the setup program to specify the keytab file or use the kerberos_keytab_file option in
/etc/opt/ldapux/ldapux_client.confto specify the keytab file. If you do not specify a
keytab file, LDAP-UX will use the default file specified in /etc/krb5.conf. If there is no default
keytab file configured in /etc/krb5.conf, then the keytab file /etc/krb5.keytab will be
used,
For each service principal, it must have a service key known by every domain controler, which
also acts as a KDC.
Use the ktpass tool to create the keytab file and set up an identity mapping the host account.
The following is an example showing you how to run ktpass to create the keytab file for the
HP-UX host myhost with the KDC realm cup.hp.com:
C:> ktpass -princ host/myhost.cup.hp.com@CUP.HP.COM -mapuser myhost -pass
mypasswd -out unix.keytab
6.3.4 SASL/GSSAPI profile download support
LDAP-UXClient Services does not support downloading of the LDAP-UX profile automatically, when
used with SASL/GSSAPI authentication, and that authentication uses a host or service principal,
where that principal's key is stored in a Kerberos keytab file.This limitation impacts the ability of
the LDAP-UX product to support the "profile time to live" feature, which automatically will
re-download a profile after it's profileTTL time period has expired.
You can download profiles manually using the get_profile_entry command, as long as you
provide a principal and password on the command line.The following command shows an example
of how to download the profile manually. If your profile changes frequently, you may wish to place
this in a script that is called periodically by cron.
/opt/ldapux/config/get_profile_entry -s NSS -D \
"<administrator@my.domain.org>" -w "<adminpassword>"
6.3.5 Changing authentication methods
If you wish to switch from your current authentication method, such as SIMPLE to SASL/GSSAPI,
TLS:SIMPLE or TLS:SASL/GSSAPI, you must restart the ldapclientd daemon after making the
configuration changes. This step is required to assure that the proper GSSAPI, Kereros and/or SSL
initialization is completed.
6.4 PAM_AUTHZ login authorization
The Pluggable Authentication Module (PAM) is an industry standard authentication framework that
is supplied as an integrated part of the HP-UX system. PAM gives system administrators the flexibility
of choosing any authentication service available on the system to perform authentication. The PAM
framework also allows new authentication service modules to be plugged in and made available
without modifying the PAM enabled applications. The library /usr/lib/security/
libpam_authz.so.1 (and architecture-dependent library paths) provides the access control
functionality described in this section. You can add it to your existing /etc/pam.conf as shown
in Section C.3 (page 154).
This section assumes you have some knowledge of how to configure PAM libraries in the /etc/
pam.conf file. For more information about configuring PAM libraries, see the Managing Systems
and Workgroups: A Guide for HP-UX System Administrators document, available at the following
location:
www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
98 Administering LDAP-UX Client Services