LDAP-UX Client Services B.05.01 Administrator Guide Integrating with HP Directory Servers and Microsoft Windows Active Directory Servers Abstract This document describes how to install, configure, and manage the LDAP-UX Client Services product on HP-UX platforms in conjunction with LDAP-capable directory servers including HP-UX Directory Server, Red Hat Directory Server for HP-UX, and Microsoft Windows Active Directory Server (ADS).
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 Introduction.............................................................................................17 1.1 Overview of LDAP-UX Client Services....................................................................................17 1.2 How LDAP-UX Client Services works.....................................................................................19 1.3 Domains in LDAP-UX environments.......................................................................................22 1.
2.4.6.2 Steps for configuring LDAP-UX Client Services with SSL or TLS support.......................80 2.4.6.3 Adjusting the peer certificate policy.....................................................................81 2.4.6.3.1 Modifying preferredServerList in the LDAP-UX profile .......................................82 2.4.6.4 Creating certificate database files using the certutil utility........................................82 2.4.6.5 SSL/TLS ciphers...................................................
3 Installing and configuring LDAP-UX Client Services for a Windows ADS environment..............................................................................................114 3.1 Before you begin: general installation and configuration considerations for a Windows ADS environment.........................................................................................................................114 3.2 Selecting the method of installation: guided or customized........................................
3.5.3.4 AutoFS migration scripts...................................................................................154 3.5.3.4.1 Environment variables...............................................................................154 3.5.3.4.2 General syntax for migration scripts............................................................155 3.5.3.4.3 migrate_automount_ads.pl script................................................................155 3.5.3.4.4 migrate_nis_automount_ads.pl script...............
6 Dynamic group support...........................................................................173 6.1 Overview.......................................................................................................................173 6.2 Creating an HP-UX dynamic group ...................................................................................173 6.2.1 Creating an HP-UX POSIX dynamic group in an HP directory server environment..............173 6.2.1.1 Step 1: Creating a dynamic group.............
7.4.3 PAM_AUTHZ security policy enforcement....................................................................201 7.4.3.1 Authentication using PAM..................................................................................202 7.4.3.2 Authentication with secure shell (ssh) and r-commands..........................................202 7.4.4 Policy file................................................................................................................202 7.4.5 Policy validator.................
7.9.2 Verifying the proxy user............................................................................................242 7.9.3 Creating a new proxy user........................................................................................242 7.9.4 Changing from anonymous access to proxy access......................................................244 7.9.5 Changing from proxy access to anonymous access......................................................244 7.
8.5.1 Overriding central configuration................................................................................274 8.6 Distributing keys to nonHP-UX hosts...................................................................................274 9 Command and tool reference...................................................................276 9.1 The LDAP-UX Client Services components............................................................................276 9.2 Client management tools...............
9.3.5.8 Specific return codes for ldapugadd...................................................................310 9.3.5.9 Limitations.......................................................................................................311 9.3.5.10 Examples.......................................................................................................311 9.3.6 The ldapugmod tool.................................................................................................313 9.3.6.1 Synopsis.......
9.3.10.3 Specific return codes for ldapcfinfo...................................................................350 9.3.10.4 Examples.......................................................................................................352 9.4 LDAP directory tools........................................................................................................353 9.4.1 The ldapentry tool....................................................................................................354 9.4.1.
9.5.8.5 LDAP syntax status messages.............................................................................382 9.6 Name service migration scripts.........................................................................................383 9.6.1 Naming context.......................................................................................................383 9.6.2 Migrating all files....................................................................................................383 9.6.
D Sample PAM configuration (pam.conf) files ...............................................420 D.1 Sample of a typical pam.conf file for an HP server environment.............................................421 D.2 Sample PAM configuration file typical for integration with Windows ADS..............................424 D.3 Sample pam.conf file for Trusted Mode in an HP server environment.....................................426 D.4 Sample PAM configuration file for HP-UX Trusted Mode with Windows ADS...........
Figures 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 A simplified NIS environment.............................................................................................17 A simplified LDAP-UX Client Services environment for HP directory servers...............................18 A simplified LDAP-UX Client Services environment for Windows ADS.......................................18 The LDAP client daemon in the LDAP-UX Client Services environment.......................................
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 Return codes for ldapuglist..............................................................................................293 Return codes for ldapugadd............................................................................................310 Return codes for ldapugmod............................................................................................322 Return codes for ldapugdel.................................................................
1 Introduction LDAP-UX Client Services simplifies HP-UX system administration by consolidating account and configuration information into a central LDAP directory. The directory can be used as a single source repository for HP-UX authentication, authorization, and user data/account management, or the account information could be integrated into Microsoft Windows Active Directory Server.
NOTE: In this document, “HP directory server” is often used to refer to the HP-UX Directory Server or Red Hat Directory Server for HP-UX product.
1.2 How LDAP-UX Client Services works LDAP-UX Client Services works by providing backend services for the authentication mechanism provided in PAM, providing a backend database for the naming services provided by NSS. The PAM configuration file /etc/pam.conf defines the security mechanisms that are used for authenticating users. Its default values provide the customary operation of the system under both standard HP-UX and trusted systems. It also provides support for controls on individual users.
Figure 5 HP-UX Client login sequence with Windows 2003 R2 and 2008 (RFC 2307) LDAP Directory Server LDAP Client Requests LDAP C SDK PAM login, ftp, ... ldapclientd LDAP-UX Client NSS ls, who, ... With LDAP-UX Client Services, and ldapclientd in particular, HP-UX commands and subsystems can access name service information transparently from the LDAP directory or from the Active Directory through PAM and NSS. Table 2 (page 20) shows some examples of commands and subsystems that use PAM and NSS.
After you install and configure the LDAP directory or the Active Directory, and migrate your name service data into it, HP-UX client systems locate the directory from a startup file. As shown in Figure 6, the startup file tells the client system how to download a configuration profile from the directory. Figure 6 Local startup file and the configuration profile Directory Configuration profile The shared configuration profile is stored in the directory and downloaded to all LDAP-UX clients.
For more information about PAM, see the pam(3) and pam.conf(4) manpages, and the Managing Systems and Workgroups: A Guide for HP-UX System Administrators document at the following location: http://www.hp.com/go/hpux-core-docs (click HP-UX 11i v2) Sample PAM configuration files and details about configuration are included in “Sample PAM configuration (pam.conf) files ” (page 420).
synchronized (converged) among all the DC computers by multi-master replication. Servers joined to the Active Directory that are not domain controllers are called Member Servers. LDAP-UX Client Services for Microsoft Windows Active Directory enables integration of user account information into a Microsoft Windows 2003 R2 or 2008 Active Directory Server.
directory server is configured to grant this user administrative access, thus enabling this user to perform configuration changes. Some important differences between the Configuration Administrator and the Directory Manager: 24 ◦ The Configuration Administrator cannot create top-level entries for a new suffix through an add operation, neither by adding an entry with the Directory Server Console nor by using the ldapadd tool.
2 Installing and configuring LDAP-UX Client Services for an HP server environment This chapter describes the decisions you must make and the steps for installing the HP directory server and for configuring LDAP-UX Client Services. 2.1 Before you begin: general installation and configuration considerations for an HP server environment Consider the following as you plan your installation and configuration.
NOTE: This white paper was published before HP-UX Directory Server 8.1 was introduced. However, much of the information continues to be relevant and helpful. • Most examples in this chapter are based on the HP-UX Directory Server and assume you have some knowledge of this directory and its tools, such as the Directory Server Console and ldapsearch. If you have another directory server, consult the documentation for your directory server for more information.
The customized installation (setup) is advantageous if: • You are more experienced and familiar with the product, and you want to manually customize the software during the installation. • You are installing into an environment that already includes an LDAP directory server, and user and group data has already been installed on that directory server. The guided installation makes assumptions about the location of user, group, and host data that is stored in the directory server.
administration domain (this directory server is also referred to as the Configuration Directory Server or configuration directory). NOTE: The directory server administration domain is the domain used for managing the directory servers themselves. In contrast, the LDAP-UX domain is the domain used for managing the data stored by the directory server. It consists of the collection of users, groups, and hosts that can be managed in the LDAP directory server.
optionally the port), and the bind DN and password of a user who has sufficient privileges to add the local HP-UX host to the LDAP-UX domain. When you specify a remote host where the existing directory server is located, the guided installation cannot validate the identity of the directory server unless a valid domain (CA certificate) or server certificate exists on the local host.
2.3.1 What autosetup does As mentioned, the guided installation (autosetup) greatly simplifies the configuration process. The procedure performs numerous activities automatically, with minimal input required from whoever runs the script, including the following: 1. Automatically detects existing directory servers by querying the DNS server of the DNS domain for any registered directory servers, and then tries to connect to the directory server with a search request.
13. Modifies the LDAP-UX client daemon configuration file /etc/opt/ldapux/ ldapclientd.conf to: • Enable the LDAP-UX client daemon ldapclientd to launch automatically whenever the system is rebooted ([StartOnBoot] is defined with enable=yes). • Set iproxy_is_restricted=yes in the [general] section, which indicates that the host entry created in step 10 is not privileged. This setting enables additional capabilities provided by the ldapuglist and ldaphostlist tools. A sample of the ldapclientd.
NOTE: SSL/TLS protocols support a variety of different cryptographic algorithms (ciphers) for use in authentication operations between server and client, certificate transmissions, and session key establishment. If a cipher is found to be flawed and subject to attack, administrators of HP-UX and the directory server must know about their vulnerability. Ciphers can be disabled in the directory server. For information about SSL/TLS ciphers and which ones are supported by LDAP-UX, see Section 2.4.6.
• ou=People: Stores all users managed in the LDAP-UX domain. Utilities, such as the LDAP user or group management tools (see Section 9.3 (page 283)) and ldapentry (see Section 9.4.1 (page 354)) can be used to manage users and accounts under this subtree. The ou=People subtree is populated with one user, the Domain Administrator. By default, the LDAP-UX Domain Administrator is named domadmin. The guided installation enables this name to be changed. • ou=Groups: Stores all groups managed in the domain.
2.3.2.2 Information model Within the various subtrees defined in the LDAP-UX domain, various types of objects can be managed, including users, groups, and hosts. Management of these objects is based primarily on existing standards (defined by RFCs 2307, 2798, and 4519) and extended schema defined for LDAP-UX. Most manageable information registered for users, groups, and hosts is defined in the RFCs. LDAP-UX includes two additional schemas named ssh_schema and ldapux50.
owner: uid=domadmin,ou=people,dc=mydomain,dc=example,dc=com uniqueMember: uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com cn: HostAdmins gidNumber: 1872 When LDAP-UX creates the configuration profile, attributes from RFC 2307 define most of the information model used for users, groups, and hosts. The configuration profile is created mostly with defaults, meaning that the search filters and attributes are based on RFC 2307 recommendations.
• To use common authentication with other LDAP-enabled applications, the userPassword attribute is defined as NULL. This means that it is not visible to applications on the HP-UX host. But, applications use the standardized PAM framework to perform authentication. 2.3.2.2.2 Domain entity classification schema The guided installation (and LDAP-UX B.05.00 or later) provides new schema that can be used to manage information about users, groups, hosts, and services in your network.
Table 4 New object classes Attribute name Description and use networkService Contains attributes that describe configurable service objects. It typically extends the iPService object class. domainEntity An object class used to classify objects being managed, such as users, hosts, etc. configurableService A subset of the networkService object class, it is used to indicate that at least some services provided by the object can be centrally configured.
to the directory server. This means that information managed in the directory server subtree is visible only to users who can bind and authenticate to the directory server. This policy is enforced by the following ACI: dn: dc=mydomain,dc=example,dc=com aci: (targetattr!="userPassword || nisSecretKey")(version 3.
viceProtocol || sshPublicKey || oncRpcNumber || userPassword || userCertific ate" )(version 3.0;acl "[HOSTADMIN:ALL:HOSTATTRS]: Allow changes to host att ributes by Host Administrators";allow (all) (groupdn = "ldap:///cn=HostAdmin s,ou=Groups,dc=mydomain,dc=example,dc=com");) ◦ DomainAdmins allows its members to have complete control of data managed under the root suffix of the directory server. In other words, members can manage data used by the local host OS and stored in the LDAP-UX domain.
NOTE: A CA certificate for the "mydomain.example.com" domain has been created. This certificate can be pre-installed on HP-UX clients or included as part of an HP-UX Ignite image. Installing this CA certificate on host will pre-establish trust with this directory server. The depot file for this CA certificate is found at : /tmp/ca-mydomain.example.com.
file. The password to protect that file is stored in /etc/opt/dirsvr/slapd-domain-master/pk12-passwd.txt. WARNING! Any user that can access the pk12-passwd.txt file and the cacert.pk12 file can create a new directory server with sufficient trust to be considered part of the LDAP-UX domain. Such a user can control what data is visible to the HP-UX hosts. Any host with a server certificate signed by the CA certificate will be considered a trusted directory server.
privileges than the Directory Manager) — or any user given sufficient privileges by the directory server administrator. This is the bind DN that LDAP-UX clients use for accessing the HP-UX Directory Server. The default is cn=Directory Manager when creating a new LDAP-UX domain, and uid=domadmin,ou=people,domainBaseDN when joining an existing one. An example of a setting for this variable is uid=domadmin,ou=people,dc=document,dc=hp,dc=com.
-s ds_sslport_id Specifies the number of the directory server SSL port for accessing the directory server when SSL options are used. The default is SSL port 636. -v n Specifies verbose level for debugging purposes, with n specifying one of the following: 0 (turns off verbose mode), 1, 2, or 3 (specifies the highest level of verbosity). -x domain_name When configuring LDAP-UX in a directory server environment, this option specifies the LDAP-UX domain name; for example, accounting.acme.com.
DS_ADMIN_PASS Sets the password for the directory server Configuration Administrator, responsible for managing the directory servers in the directory server administration domain. Only used in New Directory Server Installation mode (installing LDAP-UX for the first time). No command option exists for passing this password on the command line. DS_ADMIN_PORT Sets the port number of the directory server's Administration Server, which manages the directory server administration domain. .
Server. The default is cn=Directory Manager. An example of a setting for this variable is: LDAP_BINDDN=uid=domadmin,ou=people,dc=document,dc=hp,dc=com. Equivalent to using the -D option in the command line. LDAP_BINDCRED Sets the password for the user defined by LDAP_BINDDN. Equivalent to using the -j option in the command line (except this command-line option specifies a file containing the password).
LDAP_SSLPORT Sets the SSL port of the directory server to be created or, if one already exists, to be configured for LDAP-UX support.. The default is 636. 2.3.3.3 autosetup command examples The following are examples showing how to run autosetup with command-line options: Example 5 autosetup: interactive mode with verbose set at the highest level # autosetup -v 3 This command runs autosetup interactively, with verbose set at the highest level.
NOTE: If you are planning a first-time deployment of managing user and group data in the directory server, HP suggests that you devise a strategy to avoid UID number and GID number overlap. Most likely, you will need to continue managing some accounts that are local to the hosts in the LDAP-UX domain. Often the root user, and sometimes application accounts (such as www for the httpd process) remain managed in the local /etc/passwd file.
Directory Manager DN. For more information about the Directory Manager and other administrators, see Section 1.4 (page 23). 4. The script asks whether you want to manage the new directory server in an existing HP-UX Directory Server administration domain (Admin domain) or whether you want to create a new directory server administration domain.
the LDAP-UX domain. The domain administrator has fewer privileges than the Directory Manager or Configuration Administrator. This account will be the primary account used to manage data within the directory server, or its privileges can later be distributed to other users. This account should typically be associated with an individual and may be named as such. The account name should be 8 characters or less, since this account can be used on the HP-UX OS.
LDAP-UX was successfully configured. As indicated in the guided installation log, the guided installation configures LDAP-UX and starts the LDAP-UX daemon (ldapclientd) and the central configuration service (ldapconfd). For more information about the files configured by autosetup, see “Samples of LDAP-UX configuration files created or modified by autosetup” (page 410).
created. You can use command-line options and environment variables to completely automate the rest of the procedure. In the example provided in this section, the following environmental variables are defined for all the parameters needing input. Certain parameters cannot be provided by command-line options. • LDAP_BINDDN="cn=Directory Manager" • LDAP_BINDCRED="dmdontforget" • LDAP_DOMAIN_ADMIN="domadmin" • LDAP_DOMAIN="west.acme.
Setting up the LDAP-UX client using the newly created directory server. Loading CA certificate from directory server to local host ... done. * Extending schemas ... done. No LDAP-UX Configuration Profile was found. Creating a new one. * * * * * * * Downloading profile from DS ... done. Configuring ldapux_client.conf ... done. Provisioning LDAP-UX Client information into the Directory Server ... done. Setting up proxy user ... done. Configuring "/etc/nsswitch.conf" and "/etc/pam.conf" to use ldap ... done.
2. The autosetup script searches for a registered LDAP-protocol directory server in the local DNS domain but does not find one, as indicated in the following example. NOTE: The script searches for a registered server only if the directory server was not specified with the -h option command-line option or LDAP_HOSTPORT environment variable. If a registered directory server is found, autosetup uses that directory server automatically.
Enter the password for the above user: [password not displayed] Enter The installation now begins, followed by other related tasks; autosetup displays the progress and results, as in the following example. As indicated, because an existing LDAP-UX configuration profile does not exist, autosetup creates a new one. The profile and the associated LDAP-UX domain will be based on the existing directory tree. In addition, autosetup provisions information about the local host into the existing directory server.
2.3.6 Guided installation steps: Existing LDAP-UX Domain Installation mode This section explains how to install LDAP-UX in an environment that has already been configured for LDAP-UX, joining the local host into an existing LDAP-UX domain. In this mode, the guided installation simply downloads the existing domain configuration (the LDAP-UX configuration profile) and registers the host in the LDAP-UX domain. Section 2.3.6.
Scanning DNS domain "west.hp.com" for any registered LDAP directory servers... - No directory servers found. Please enter the host name and port number of a directory server, a Windows domain name, or press Return to create a new directory server on this host: acct1053 Enter NOTE: Unless you preinstall a CA or server certificate for the directory server, the autosetup tool has no means of validating the identity of the remote directory server (acct1053).
* Configuring "/etc/nsswitch.conf" and "/etc/pam.conf" to use ldap ... done. * Starting ldapclientd daemon ... done. * Starting ldapcconfd ... done. LDAP-UX was successfully configured. NOTE: For more information about the configuration files created or modified by autosetup, see “Samples of LDAP-UX configuration files created or modified by autosetup” (page 410). You can display details about the LDAP-UX Client Services configuration by using the /opt/ldapux/config/display_profile_cache command.
2.4.1 Summary of customized installation and configuration steps The following are the steps you take when custom installing and configuring an LDAP-UX Client Services environment: 1. 2. 3. 4. 5. 6. 7. 8. 9. 58 Plan your installation (see Section 2.4.2 (page 59)). Install LDAP-UX Client Services on each client system (see Section 2.4.3 (page 65)). Install and configure an LDAP directory, if not already done (see Section 2.4.4 (page 65)).
• Control user access to the system, using any of several methods mentioned in Section 2.5.6 (page 104) • Configure subsequent client systems (see the shortcuts mentioned in Section 2.5.7 (page 110)) • Downloading the profile periodically (see Section 2.5.8 (page 111)) • Enabling the use of -r commands with PAM_LDAP (see Section 2.5.9 (page 112)) 2.4.
If you prefer to merge your name service data into an existing directory structure, you can map the standard RFC 2307 attributes to alternate attributes. For more information, see “LDAP-UX Client Services object classes” (page 406). • How will you put your user, group, and other data into your directory? LDAP supports group membership defined in the X.500 syntax (using the member or uniquemember attribute), while still supporting the RFC 2307 syntax (using the memberuid attribute).
For information about how to import your information into the directory, see Section 2.5.1 (page 89). For information about the migration scripts, see Section 9.6 (page 383) . CAUTION: If you place a root login (any account with UID number 0) in the LDAP directory, that user and password will be able to log in as root to any client using LDAP-UX Client Services. Keeping the root user in /etc/passwd on each client system enables local management of the root user.
the user and group data. Figure 9 shows a configuration profile DN of cn=profile1,ou=profiles,ou=unix,o=hp.com. Figure 9 Example directory structure o=hp.com ou=unix ou=people user data ou=groups group data ou=profiles profile 1 ou=hosts host data Write your configuration profile DN on the worksheet in “Configuration worksheet” (page 403). • By what method will client systems bind to the directory? Clients can bind to the directory anonymously. This is the default and is simplest to administer.
authenticate to the directory if the user is not in /etc/passwd. If you have a few users in /etc/passwd, in particular the root user, and if the directory is unavailable, you can still log in to the client as a user in /etc/passwd.
• What name services will you use? How will you set up /etc/nsswitch.conf? In what order do you want NSS to try services? NSS is the Name Service Switch, providing naming services for user names, group names, and other information. You can configure NSS to use files, LDAP, or NIS in any order and with different parameters. For an example nsswitch.conf file using files and LDAP, see /etc/nsswitch.ldap.
2.4.3 Installing LDAP-UX Client Services on a client Use swinstall to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on a client system. For more information about the command, see the swinstall(1M) manpage. In addition, see the LDAP-UX Integration Release Notes for any last-minute changes to this procedure. You do not need to reboot your system after installing the product. NOTE: Starting with LDAP-UX Client Services B.03.
aci: (targetattr != "uidnumber || gidnumber || homedirectory || uid") (version 3.0; acl "Allow self entry modification, except for important POSIX attributes"; allow (write)userdn = "ldap:///self";) You might have other attributes you need to protect as well. To change an ACI with the Directory Server Console, select the Directory tab, select your directory suffix in the left-hand panel, then select the Object→Set Access Permissions menu item.
You can modify the default ACI and give appropriate access rights to change your own common attributes. 9. Index important attributes for better performance of the directory server. Since many of your directory requests will be for the following attributes, you should index these to improve performance. If you do not index them, your directory might search sequentially causing a performance bottleneck. As a rule of thumb, databases containing more than 100 entries should be indexed by their key attributes.
(page 69). For more information about performing a custom configuration, see Section 2.4.5.2 (page 72) for more information. NOTE: The setup program has only been certified with HP-UX Directory Server version 8.1, Red Hat Directory Server 8.0, Windows Server 2003 R2 Active Directory Server, and Windows 2008 Active Directory Server. For more information, see the LDAP-UX Integration B.05.00 Release Notes.
IMPORTANT: Starting with LDAP-UX Client Services B.03.20, the client daemon, /opt/ ldapux/bin/ldapclientd, must be running for LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or previous releases, running the client daemon, ldapclientd, is optional. NOTE: The LDAP printer configurator can support any directory servers that support the LDAP printer schema based on RFC 3712.
NOTE: To use a local-only profile, run the setup program using the -l option . Use the local-only profile for small deployments, testing purposes, and for environments where administrators lack server administrative privileges. The setup program asks you a series of questions and usually provides default answers. Press Enter to accept the default, or change the value and press Enter. At any point during setup, enter Control-b to back up or Control-c to exit setup. 2. 3. 4. 5.
10. Next enter either the DN of a new profile, or the DN of an existing profile you want to use, from “Configuration worksheet” (page 403). To display all the profiles in the directory, use a command like the following: ldapsearch -b o=hp.com objectclass=DUAConfigProfile dn If you are using an existing profile, setup configures your client, downloads the profile, and exits. In this case, continue with the next step. 11.
16. After entering all the configuration information, setup extends the schema, creates a new profile, and configures the client to use the directory. 17. Configure PAM. Save a copy of the file /etc/pam.conf and edit the original to specify LDAP authentication and other authentication methods you want to use. See /etc/pam.ldap for a sample (see also Section D.1 (page 421)). You could just copy /etc/pam.ldap to /etc/pam.conf. For more information about PAM, see the pam(3) and pam.conf(4) manpages.
• If you choose to use TLS, set the enable_startTLS parameter to 1 in the /etc/opt/ ldapux/lldapux_client.conf file to enable TLS. To use SSL, set enable_startTLS to 0 to disable TLS. By default, TLS is disabled. NOTE: When configuring and setting up LDAP-UX, you will likely be prompted for credentials of an administrator.
Using the SASL/DIGEST-MD5 authentication, the password must be stored in the clear text in the LDAP directory. 7. 8. Enter the maximum time in seconds the client should wait for directory searches before aborting. Enter 0 for no time limit. Enter whether or not you want directory searches to follow referrals. Referrals are a redirection mechanism supported by the LDAP protocol. Please see your directory manuals for more information on referrals.
NOTE: If your search filters overlap, enumeration requests will result in duplicate entries being returned. For example, if one search filter searched a subset of your organization and a second search filter searched your entire organization, an enumeration request would return duplicate entries. For more information, see Section 7.12.1 (page 247).
Attribute mappings for automount service By default, LDAP-UX Client Services uses the RFC 2307-bis automount schema. The nisObject automount schema may also be used if configured with attribute mappings. Use the following steps if you want to remap the automount attributes to the nisObject automount attributes: 1. Enter yes for the following question: Do you want to remap any of the standard RFC 2307 attributes? [yes]: yes Enter 2.
1.automountMapName ->[nisMapname] 2.automountKey -> [cn] 3.automountInformation -> [nisMapEntry] Specify the attribute you want to map. [0]: Enter 0 to exit this menu for the following question: Specify the attribute you want to map. [0]: 0 Enter Attribute mappings for dynamic group support If you are configuring dynamic group support, you must remap the default group member attribute, memberuid, to memberURL (for HP-UX Directory Server or Red Hat Directory Server).
1. Enter yes for the following question: Do you want to remap any of the startdard RFC 2307 attributes? [yes]: yes Enter 2. Select the group service by entering 3 for the following question: Specify the service you want to map? [0]: 3 Enter 3. Next, a screen displays the following information: Current Group attribute names: 1.cn ->[cn] 2.gidnumber -> [gidnumber] 3.memberuid -> [memberuid] 4.userpassword -> [userPassword] Specify the attribute you want to map.
server to enable SSL communication over LDAP, see the appropriate administrator guide at the following location: http://www.hp.com/go/hpux-security-docs For detailed information about how to enable SSL communication over LDAP for your Windows Active Directory Server, see the Microsoft Knowledge Base Article at: http://support.microsoft.com/kb/321051 Starting with LDAP-UX Client Services B.04.
Table 7 Comparison of authentication methods (continued) Authentication method Strengths SASL/GSSAP (Windows ADS only)I Weaknesses • No clear text password in the network (INDIA: • Clear text or equivalent password must be Should the same be said here about stored on the KDC challenge/response as is documented above?) • Single sign-on support (a user can enter one user name and password to access multiple applications, avoiding further prompts when the user switches between applications during a session)
NOTE: If you already have the certificate database files cert8.db and key3.db on your client for your HP-UX applications, you can simply create a symbolic link /etc/opt/ldapux/ cert8.db that points to cert8.db, and /etc/opt/ldapux/key3.db that points to key3.db. 4. SSL and TLS protocols support a variety of cryptographic algorithms (known as ciphers) that are used for such operations as authenticating the server and client to each other, transmitting certificates, and establishing session keys.
2.4.6.3.1 Modifying preferredServerList in the LDAP-UX profile Use the following steps to modify the value of the preferredServerList attribute in the LDAP-UX configuration profile: 1. Run the following steps to find the name of the LDAP server used on the server certificate. Assuming this certificate has been installed in your local certificate database file, /etc/opt/ ldapux/cert8.db: • Run the following commands to list all server certificates used by LDAP-UX: cd /etc/opt/ldapux certutil -d .
1. Retrieve the certificate. The procedure for this varies, depending on several factors. If your organization is using either a certificate management system internal to the organization, or a third-party certificate authority, you will usually use a web browser to download a CA certificate. The certificate is downloaded in one of two forms: ASCII-encoded PEM form, or binary DER form.
# # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "CA cert" -t “CT,,” -i cacert.pem -a If the certificate is a server certificate, use the “P,,” trust flag: # # /opt/ldapux/contrib/bin/certutil -d /etc/opt/ldapux -A -n "server cert" -t “P,,” -i servercert.der NOTE: The required –n parameter gives the certificate a nickname in the certificate database files. The nickname value is arbitrary.
2.4.7 Configuring LDAP-UX Client Services with NIS publickey support LDAP-UX Client Services supports discovery and management of NIS publickeys in an LDAP directory. Both public and secret keys used by the Secure RPC API can be stored in user and host entries in an LDAP directory server, using thenisKeyObject object class. Support for discovery of keys in an LDAP directory server is provided through the getpublickey() and getsecretkey() APIs.
a previous version, and now update the product to version B.04.00 or later, you must rerun the setup program to extend the publickey schema into your LDAP directory. You do not need to rerun the setup program for the subsequent client systems. For detailed information on how to run the setup program to extend the publickey schema into an LDAP directory, see Section 2.4.5.1 (page 69). 2.4.7.
aci:(targetattr ="objectclass||nispublickey||nissecretkey") (version 3.0;acl "Allow keyadmin to change key pairs"; allow (read,write,compare) userdn="ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com";) 2.4.7.4.2 Setting ACI for a user With the HP-UX Directory Server, you must set up an ACI which gives a user permission to change his own nissecretkey and nispublickey attributes. To set up ACI for a user, use the Directory Server Console or ldapmodify.
2.4.7.5.2 Procedures used for configuring the serviceAuthenticationMethod attribute Use the following steps on one of LDAP-UX client sytems to configure the serviceAuthenticationMethod attribute in the /etc/opt/ldapux/ ldapux_profile.ldif file: 1. 2. Log in as root. Use the ldapentry tool to modify the profile entry in the LDAP directory server to include serviceAuthenticationMethod. To do this, ldapentry requires the profile DN.
5. Run the /opt/ldapux/config/display_profile_cache tool to examine the configuration of the serviceAuthenticationMethod attribute: .
This only works if you are starting with an empty directory or creating an entirely new subtree in your directory for your data. If you are not using NIS, the migration scripts can take your user, group, and other data from files, generate LDIF, and import the LDIF into your directory. • If you integrate the name service data into your directory, the migration scripts might be helpful depending on where you put the data in your directory.
brewer (): ldapugmod -P -t group -g 1999 DomainAdmins bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]: Password: ntc9-212 (src/tools): ldapuglist -t group -n DomainAdmins dn: cn=DomainAdmins,ou=Groups,dc=mydomain,dc=example,dc=com cn: Domain Administrators cn: DomainAdmins gidNumber: 1999 memberUid: domadmin For more information about using the ldapuglist and ldapugmod tools to list and modify users and groups, see Section 7.7 (page 218). 2.5.1.
pwget -n username nsquery hosts host_to_find grget -n groupname ls -l NOTE: While you can use the following commands to verify your configuration, these commands enumerate the entire passwd or group database, which might reduce network and directory server performance for large databases: pwget(with no options) grget(with no options) listusers logins 3.
• Log in as a user to the directory as a member of a-@netgroup to be sure that the system will not authorize you to log in. If the PAM_AUTHZ module is configured with the pam_authz.policy file, verify the following: 7. 8. • Log in the client system with a user name that is covered by an allow access rule in the policy file. Make sure the user will be allowed to log in. • Log in as a user that is covered by adeny access rule in the policy file. Make sure the user can not log in to the client system.
c. Verify: # grget -n xgroup1 xgroup1:*:999: xuser2 If xuser2 shows up as a member of xgroup1, then your setup is correct. 10. The following applies to Windows ADS environments only: If you have configured a multi-domain setup and you want to verify it, execute the following two steps. Otherwise, proceed to Section 3.5.5 (page 157). The following steps will verify that LDAP-UX is able to retrieve data from ADS multiple domains: a. b.
DESC 'Automount information' SUP top STRUCTURAL MUST ( automountKey $ automountInformation ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
dn:nisMapName=auto_direct,dc=nishpind objectClass: top objectClass: nisMap nisMapName: auto_directdn:cn=/mnt_direct/test1, nisMapName=auto_direct, dc=nishpind objectClass: top objectClass: nisObject nisMapName: auto_direct cn: /mnt_direct/test1 nisMapEntry:hostA:/tmp dn:cn=/mnt_direct/test2, nisMapname=auto_direct, dc=nishpind objectClass: top objectClass: nisObject nisMapName: auto_direct cn: /mnt_direct/test2 nisMapEntry:hostB:/tmp nisObject limitations The nisObject automount schema contains three attri
information about configuring the nisObject search filter for the automount service to search a different location in the LDAP directory server, see Section 2.4.5.2 (page 72). If you want to perform attribute mappings or search filter changes by using the Custom Configuration, ensure that you do not accept the remaining default configuration parameters in step 4 of the Custom Configuration.
2.5.3.5.1 Environment variables When you use the AutoFS migration scripts to migrate AutoFS maps, set the following environment variables: LDAP_BASEDN The base distinguished name of the LDAP directory that the AutoFS maps are to be placed in. DOM_ENV This only applies to the migrate_nisp_autofs.pl script. This variable defines the fully qualified name of the NIS+ domain where you want to migrate your data from. As of LDAP-UX Client Services B.05.01, NIS+ is no longer supported.
objectClass: automountMap automountMapName: auto_direct dn:automountKey=/mnt_direct/lab1,\ automountMapname=auto_direct, dc=nishpind objectClass: top objectClass: automount automountInformation:hostA:/tmp automountKey: /mnt_direct/lab1 dn:automountKey=/mnt_direct/lab2,\ automountMapname=auto_direct, dc=nishpind objectClass: top objectClass: automount automountInformation:hostB:/tmp automountKey:/mnt_direct/lab2 You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF file /tmp/ auto_direct.
automountInformation:hostA:/tmp automountKey: lab1 dn:automountKey=lab2, \ automountMapname=auto_indirect, dc=nisserv1 objectClass: top objectClass: automount automountInformation:hostB:/tmp automountKey:lab2 You can use the /opt/ldapux/bin/ldapmodify tool to import into the LDAP directory the LDIF file /tmp/auto_indirect.ldif that you just created. For example, the following command imports the /tmp/auto_indirect.
/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=Directory Manager" -w -f nisp_automap.ldif 2.5.4 Enabling offline longterm credential caching for authentication when the directory server is unavailable Supported for HP directory server environments only. If contact with the directory server is lost because of a network problem or server crash, LDAP users cannot log in to the system. This might have a negative impact on the OS and its applications, especially for mission-critical applications.
• How much memory to allocate for the offline cache (if you have numerous groups containing a large number of members, HP recommends that the amount of offline cache memory allocated be twice the combined size of the groups) 2.5.4.2 Configuring the offline cache The following shows the section in /etc/opt/ldapux/ldapclientd.conf that includes the offline credential cache variables that you can configure. [longterm_cache] #enable=no # # How long before data is considered stale and not usable.
+@webadmin:::::: ... While this feature was typically used to control which groups of users could log in to a particular host, it also could be used to obscure or override fields of a user’s passwd entry. For example, an administrator could force a particular group of users to use a specific login shell by inserting the desired path to the desired login shell in the 7th field of the entry (the login shell is positionally defined as the 7th field in each entry in the /etc/passwd file.): ...
... passwd: compat passwd_compat: files ldap ... with: ... passwd: files ldap ... 2. Configure internal Compat Mode processing inside ldapclientd: a. /etc/opt/ldapux/ldapclientd.conf Search for "flush_compat_info_time". This indicates how often ldapclientd will refresh its cached copy of the netgroup structures defined in the /etc/passwd file.
• Disabling logins to the local system from specified LDAP users by configuring the disable_uid_range flag in the local client's startup file (/etc/opt/ldapux/ ldapux_client.conf), as described in Section 2.5.6.1 (page 105) • Preventing unwarranted access to the local system by users defined in the LDAP directory server that have equivalent user names or user identification numbers (UIDs) in the local system /etc/passwd file, as described in Section 2.5.6.
server administrator could create a user named “root” and then log in to the local system based on the password associated with user “root” on the directory server. To disable system access for local user accounts that are also defined in the LDAP directory server, configure the deny_local option in the PAM configuration file /etc/pam.conf, entering a line for each service, in the following format: service module_type required libpam_ldap.so.
# PAM engine (libpam) with "hpux64" for IA 64-bit modules, or with "hpux32" # for IA 32-bit modules, or with "pa20_64" for PA 64-bit modules, or with # NULL for PA 32-bit modules. # # For PA applications, library name ending with "so.1" is a symbolic link # that points to the corresponding PA (32 or 64-bit) backend library. # # see pam.conf(4) for more details # # Authentication management # login auth required libpam_hpsec.so.1 login auth sufficient libpam_unix.so.1 login auth required libpam_ldap.so.
. . 2.5.6.3 Configuring PAM_LDAP authentication to ignore specific users Supported for HP directory server environments only. When PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a typical configuration in the Trusted Mode Environment), then if you lose access to your directory server, you might have difficulty accessing the system again unless you are included in a set of so-called “recovery users” configured in the /etc/pam_user.conf file. LDAP-UX 5.
# bit) backend library. # ################################################################ root root root root auth account session password libpam_ldap.so.1 libpam_ldap.so.1 libpam_ldap.so.1 libpam_ldap.so.1 ignore ignore ignore ignore For more information, see the pam_user.conf(4) manpage. For more information about HP-UX user authentication and PAM, see the HP-UX System Administrator's Guide: Security Management, available at the following location: www.hp.
login auth required login auth required login auth sufficient login auth required # Account management # login account required login account required login account sufficient login account required # Session management # login session required login session required login session required login session required # Password management # login password required login password required login password sufficient login password required libpam_hpsec.so.1 libpam_updbe.so.1 libpam_ldap.so.1 libpam_unix.so.
• /etc/pam.conf • /etc/nsswitch.conf • /etc/opt/ldapux/acred if the /etc/opt/ldapux/acred file exists • cert8.bd and key3.db files, if SSL is enabled Set all file access mode permission to be the same as those of the first client being configured. 3. Enable the LDAP-UX configuration profile as follows: cd /opt/ldapux/config .
fi rm -f /etc/opt/ldapux/ldapux_profile.sav rm -f /tmp/profile.upd$$ 3. Use the crontab command to create a crontab file (or edit your existing crontab file) and specify how frequently you want the profile to be downloaded.
OTHER OTHER account sufficient account required libpam_unix.so.1 libpam_ldap.so.1 CAUTION: Setting the user password to be returned as any string for the hidden password, and turning on the rcommand option for PAM_LDAP account management could allow users with active accounts on a remote host to rlogin to the local host on to a disabled account. If you have security concerns, see Section 7.4.10 (page 210) section in chapter 5 and Section D.
3 Installing and configuring LDAP-UX Client Services for a Windows ADS environment This chapter describes the decisions you must make and the steps for installing and configuring LDAP-UX Client Services in a Windows ADS environment. 3.
and creation of a host principle used for proxied authentication. You can customize the software afterward. Both of these programs are available in /opt/ldapux/config. The guided installation (autosetup) is most advantageous if: • You prefer simplicity, ease, and quickness of installation. • You prefer an installation that enables immediate use of LDAP-UX, with minimal input required.
NOTE: SSL/TLS protocols support a variety of different cryptographic algorithms (ciphers) for use in authentication operations between server and client, certificate transmissions, and session key establishment. If a cipher is found to be flawed and subject to attack, administrators of HP-UX and the directory server must know about their vulnerability. Ciphers can be disabled in the directory server. For information about SSL/TLS ciphers and which ones are supported by LDAP-UX, see Section 2.4.6.
NOTE: You can install LDAP-UX into an existing LDAP B.04.xx environment; however, the hosts search descriptor serviceSearchDescriptor in the LDAP-UX configuration profile will likely define an incorrect location for host entries (it should be cn=Computers). Host tools expect the correct location for host entries to be defined in the configuration profile. If the location is incorrect, the ldaphostmgr tool will add hosts to an incorrect location in the directory tree. The guided installation (with LDAP-UX B.
8. 9. 10. 11. 12. 13. Creates the startup file (/etc/opt/ldapux/ldapux_client.conf) on the LDAP-UX client system, enabled for TLS support (enable_startTLS is set to 1). Creates a new computer account or host entry in the directory server that represents the current HP-UX host. If a host entry already exists with the same name, an autosetup prompt asks if the existing entry should be deleted and replaced.
autosetup [option1 option1-value [option2 option2-value] ...] The options are described in Section 3.3.2.1 (page 119). For examples and detailed information about how to perform the guided installation and how autosetup configures the LDAP-UX environment, see the following sections: • Section 3.3.3 (page 122) • Section 3.3.4 (page 124) NOTE: When configuring and setting up LDAP-UX, you will likely be prompted for credentials of an administrator.
thus, it enables you to perform the guided installation in silent mode. -N profile_name Specifies the configuration profile name that autosetup will download from the directory server, if the profile exists. If the specified profile entry does not exist in the directory server, autosetup creates it. The default profile name is ldapuxprofile. The autosetup program uses this default profile name only if you do not use this option.
already has been configured with LDAP-UX, this can be the DN of any user with sufficient privilege to add a new computer account, and set a password on that account. An example of a DN for this variable is CN=Administrator,CN=Users,DC=ldaptest,DC=west,DC=com Equivalent to using the -D option in the command line. LDAP_BINDCRED Sets the password for the user defined by LDAP_BINDDN.
Example 12 autosetup: silent mode # autosetup -q This command invokes silent mode. It can be used in any scenario in which user intervention is not required. It assumes required parameters have been specified in environment variables. 3.3.3 Guided installation steps: First Installation into a Windows Domain mode This section explains how to install LDAP-UX for the first time into an existing Windows domain, to create a new LDAP-UX configuration profile.Section 3.3.3.
Scanning DNS domain "nwest.acme.com" for any registered LDAP directory servers... - No directory servers found. Please enter the host name and port number of a directory server [hostname:port], or a Windows domain name: hpdhcalif.nwest.acme.com:389 Enter NOTE: Unless you have already installed a CA or server certificate for the directory server, autosetup has no means of validating the identity of Kerberos and the directory server.
The Kerberos configuration file /etc/krb5.conf has been modified. Configured "hpdhcalif.nwest.acme.com" as LDAP-UX proxy. * Editing the name-service switch configuration ... done. * Editing "/etc/pam.conf" ... done. Your LDAP-UX client has been successfully configured and is now a member of the "nwest.acme.com" domain. 3.3.3.
NOTE: If you attempt to run autosetup on a host on which LDAP-UX (ldapclientd) is already running, the procedure aborts. If the LDAP-UX is installed on the host but not running, the procedure proceeds. However, if a previous LDAP-UX configuration profile is found on the system, the procedure warns you that proceeding will overwrite the file and asks if you want to proceed. You may proceed if your intention is to reconfigure LDAP-UX on the host.
NOTE: Unless you install a CA or server certificate for the directory server before running autosetup, autosetup has no means of validating the identity of Kerberos and the directory server. The tool can download and permanently install the CA certificate for the specified Windows domain; however, to prevent from connecting with an impostor host, you should validate and install the CA certificate for this domain. To determine how to discover and install the domain’s CA certificate, see Section 2.4.6.
3.3.4.2 Automating Existing Windows LDAP-UX Configuration mode You can run autosetup in silent mode and specify any required values for parameters in the command line or with environment variables. You must already installedestablish trust with the remote directory server by installing the CA certificate before running autosetup.
1. 2. 3. 4. 5. Plan your installation (see Section 3.4.3 (page 129)). Install LDAP-UX Client Services on each client system (see Section 3.4.4 (page 134)). Install and configure the Active Directory, if not already done (see Section 3.4.5 (page 135)). Install the PAM Kerberos product (see Section 3.4.6.1 (page 139)) Run the setup program to configure LDAP-UX Client Services on a client system (see Section 3.4.6.2 (page 139)).
Table 12 Kerberos-related tasks to perform (continued) Task Section of this manual Configure your HP-UX machine to authenticate using PAM Kerberos Section 3.4.6.3 (page 149) Create the keytab file for the HP-UX machine and set up Section 3.4.5.4 (page 137) an identity mapping the host account If not already done, perform any tasks recommended Section 3.4.6.
• How many directory databases are needed? Each client system binds to an Active Directory Server containing your supported name service data (such as user and group data). On Active Directory networks, each domain controller contains a copy of the Active Directory database. The specific number of domain controllers necessary in your network depends on the network size and configuration. A minimum of two Active Directory domain controllers are recommended for each domain.
For information about importing information into the directory, refer to Section 3.5.1 (page 151). For information on migration scripts, see Section 9.6 (page 383). CAUTION: If you place a root login (any account with UID number 0) in the directory server, that user and password will be able to log in as root to any client using LDAP-UX Client Services. Keeping the root user in /etc/passwd on each client system enables local management of the root user.
Figure 10 Example directory structure for a single domain DC=cup, DC=hp, DC=com CN=System CN=Users profile data user data group data Figure 11 Example directory structure for multiple domains DC=cup, DC=hp, DC=com CN=System profile data user data DC=, DC=cup, DC=hp, DC=com CN=System profile data CN=Users user data CN=Users group data group data DC=, DC=cup, DC=hp, DC=com CN=System profile data CN=Users user data group data NOTE: By default, the CN=system, DC=cup, DC=hp, DC=com
• Do you want to use SSL or TLS for secure communication between LDAP clients and the Windows 2003 R2 or 2008 Active Directory Server? The LDAP-UX Client Services supports SSL or TLS with password as the credential, using either simple or SASL/GSSAPI authentication (SASL/GSSAPI is available for the Windows 2003 R2 or 2008 Active Directory Server only) to ensure confidentiality and data integrity between the clients and servers.
file using files and LDAP. For more information, see the nsswitch.conf(4) manpage and "Configuring the Name Service Switch" in NFS Services Administrator's Guide at: http://www.hp.com/go/hpux-core-docs (Click HP-UX 11i v3). It is recommended you use files first, followed by LDAP for passwd, group and other supported name services. With this configuration, NSS will first search files, then the directory if the user or group is not in the respective files. /etc/nsswitch.
NOTE: For LDAP-UX Cleint Services B.03.20 or later versions, system reboot is not required after installing the product. 2. Install the required patches. For patch information, refer to /opt/ldapux/ README-LdapUxClient (available after the NativeLdapClient subproduct is installed). NOTE: at: For information about required patches, see the LDAP-UX Integration Release Notes http://www.hp.com/go/hpux-security-docs Click HP-UX LDAP-UX Integration Software. 3.4.
3.4.5.2 Step 2: Create a proxy user The use of a proxy user is mandatory for Active Directory, as anonymous binding done not grant enough access rights to retrieve user, group, or any other name service data. Use the Windows 2003 R2 or 2008 management tool, Active Directory Users and Computers, to add a proxy user as a member of the "Domain Users" group. The proxy user is used by the LDAP-UX clients to bind to the ADS for access to the name service data on the ADS.
10. A screen displays that confirms your configuration. Click finish if everything is correct; otherwise, click Back to modify your responses. 11.
For more information about ktpass parameters, standard encoding types, and the defaults, see the appropriate Microsoft documentation, including Microsoft Knowledge Base (KB) articles such as the following: Table 13 KB and topic Windows version Location KB833708: Encoding types (crypto); Windows KDC does not allow clients to specify 2003 an etype http://support.microsoft.com/kb/833708 KB919557: Bad versions of ktpass; pre-authentication errors Windows 2003 http://support.microsoft.
NOTE: The setup program has only been certified with HP-UX Directory Server version 8.1, Red Hat Directory Server 8.0, Windows Server 2003 R2 Active Directory Server, and Windows 2008 Active Directory Server. For more information, see the LDAP-UX Integration B.05.00 Release Notes. 3.4.6.1 Step 1: Install the PAM Kerberos product LDAP-UX Client Services with Active Directory uses the Kerberos Authentication method. If not already available on your system, you must install and configure PAM Kerberos.
NOTE: When configuring and setting up LDAP-UX, you will likely be prompted for credentials of an administrator. If you are asked to enter the credentials (password) of a user, make sure that the connection between your client and the HP-UX system (where you are running setup) are secured and not subject to network eavesdropping. One option to protect such communication might be to use the ssh protocol when connecting to the HP-UX host being configured.
is shared with subsequently-configured client systems). For a detailed description of object classes, see “LDAP-UX Client Services object classes” (page 406). If the schema has already been extended, setup skips this step. Otherwise, to extend the schema, enter the DN and password of a directory user who can extend the directory schema (see “Configuration worksheet” (page 403)).
12. Next, it will prompt you for selecting the authentication method for users to bind/authenticate to the server. You must select the authentication method from one of the following prompts based on your selection in step 11: • For TLS, you have a choice between SIMPLE (the default), or SASL/GSSAPI if you choose to not enable TLS. However, you have a choice between SIMPLE with TLS (the default), or SASL/GSSAPI with TLS if you choose to enable TLS. Skip to step 13.
19. For Active Directory, you must set access to the directory by proxy user because anonymous binding does not grant enough access right to an Active Directory. Enter the DN and password of your proxy user from “Configuration worksheet” (page 403). 20. Enter the maximum time in seconds the client should wait for binding to the directory before aborting ("bind time"). Enter 0 for no time limit. CAUTION: The default client binding time is 5 seconds.
NOTE: The default search base DN for all requests will be set to the previously specified default search base DN (specified in step 14), usually the domain root. For very large databases, search performance can be greatly increased by specifying custom search descriptors. For example, to search user and group information, set the search base DN for the user and group services to CN=Users, DC=cup, DC=hp, DC=com.
25. Enter yes to the question “Are you ready to create the Profile Entry?”, then press any key to continue. 26. At this point, you will choose whether to configure Multiple Domains.
3.4.6.2.1 Remapping attributes for services This section describes detailed procedures on how to perform attribute mappings for GECOS, LDAP printer configurator, dynamic group, and X.500 group membership services. Attribute mappings for GECOS In a UNIX environment, the GECOS field of a user's password entry typically contains the user's full name, telephone number, and building location. The RFC 2307 schema defines the gecos attribute to contain these values.
Attribute mappings for LDAP printer configurator support The default printer attributes, printer-name and printer-uri, are not defined in the Windows Active Directory Server. You must define the alternate printer attributes and map them to printer-name and printer-uri respectively. You must execute the following procedures to remap the default printer attributes to alternate printer attributes.
1. Enter yes for the following question: Do you want to remap any of the startdard RFC 2307 attributes? [yes]: yes Enter 2. Select the group service by entering 3 for the following question: Specify the service you want to map? [0]: 3 3. Next, a screen displays the following information: Current Group attribute names: 1.cn ->[cn] 2.gidnumber -> [gidnumber] 3.memberuid -> [memberuid] 4.userpassword -> [userPassword] Specify the attribute you want to map.
NOTE: LDAP-UX supports DN-based (X.500 style) membership syntax. This means that you do not need to use the memberUid attributes to define the members of a POSIX group. Instead, you may use either the member or uniqueMember attribute. LDAP-UX can convert from the DN syntax to the POSIX syntax (an account name). For ADS, the typical member attribute would be either memberUid or preferably the member attribute. 5. Follow the prompts to finish the setup. 3.4.6.
krb5_prop 754/tcp kerberos-adm 464/udp kerberos-cpw 464/tcp 4. Add a host key to the /etc/krb5.keytab file. The keytab file is the one described in the previous section on Windows 2003 R2 or 2008 using ktpass. You must securely transfer the keytab file previously created to your HP-UX machine and name it krb5.keytab in the /etc directory. If you already have an existing/etc/krb5.keytab file, merge the new keytab file with the existing one.
3.4.6.6 Step 6: Configure the disable login flag Optionally, configure the disable login flag (disable_uid_range). The default is to allow all users stored in the directory to log in. To disallow specific users to log in to a local system, you can configure the disable_uid_range flag in /etc/opt/ldapux/ ldapux_client.conf file, as described in Section 3.5.4.1 (page 157). 3.4.
add the unixAccount attributes to your existing entries under CN=Users and add their HP-UX information there. • Ensure that the user and group numbers to be imported or migrated do not collide with those already on the HP-UX host (see Section 3.5.1.1 (page 152)). 3.5.1.
objectClasses: ( 1.3.6.1.1.1.2.16 Name 'automountMap' DESC 'AutomountMap SUP top STRUCURAL MUST ( automountMapName & cn ) MAY description X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount' SUP top STRUCTURAL MUST ( automountKey & automountInformation & cn ) MAY description X-ORIGIN 'user defined' ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName DESC 'automountMapName' EQUALITY caseExactIA5Match SYNTAX 2.5.5.
You can save a copy of /etc/nsswitch.conf file and modify the original to add LDAP support to the automount service. See /etc/nsswitch.ldap for a sample. The following shows the sample file, /etc/nsswitch.ldap. NOTE: Windows ADS implementations ignore the netgroup and publickey service declarations in this file.
Examples The following command sets the base DN to "dc=example, dc=hp, dc=com": export LDAP_BASEDN="example.hp.com" The following command sets the fully qualified name of the NIS domain to "example.hp.com": export NIS_DOMAINNAME="example.hp.com" 3.5.3.4.2 General syntax for migration scripts The migration scripts use the following general syntax: scriptname inputfile outfile where scriptname Is the name of the particular script you are using.
You can use the /opt/ldapux/bin/ldapmodify tool to import into the directory server the LDIF file /tmp/auto_direct.ldif that you just created. For example, the following command imports the /tmp/auto_direct.ldif file to the LDAP base DN "dc=nishpind" in the directory server LDAPSERV1: /opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=administrator, cn=users, dc=nishpind" \ -w -f /tmp/auto_direct.
/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D "cn=administrator, cn=users, dc=nishpind" \ -w -f /tmp/auto_indirect.ldif 3.5.4 Controlling user access to the system through LDAP By default, all users stored in the directory server are allowed to log in to the local HP-UX client system.
3.5.6 Downloading the profile periodically Using the setup program, you can define a time interval after which the current profiles are being automatically refreshed. The start time for this periodic refresh is determined by the time the setup program completes and the value defined for ProfileTTL. Therefore, setup does not allow you to define a specific time of day when the profiles should be downloaded (refreshed). (For more detailed information, refer to the ldapclientd(1m) manpage.
4 Windows Active Directory multiple domains This chapter contains information specific to multiple domains in a Windows ADS environment. If you do not store and group information in multiple domains in such an environment, you may skip this chapter. 4.1 Domain term definitions The following section defines common multiple domain terms. 4.1.1 Multiple domains Supported multiple domains refer to domains in an ADS forest. Domains from different forests are not supported. 4.1.
You also need a configuration profile that specifies which server (and port) serves as the GCS. The GCS profile is stored locally in /etc/opt/ldapux/domain_profiles/ ldapux_profile.bin.gc. • Both Remote Domain Configuration and GCS If you are sure that you need some specific remote domains, but don't want to exclude other domains, you may configure both, specifying remote domains and configuring usage of the GCS. When both are configured, LDAP-UX searches in this sequence: 1. 2. 3. 4.
NOTE: By default, the cn=system,DC=myorg,DC=mycom,DC=com configuration container only exists in the root domain. To create the standard profile path for LDAP-UX, manually create it in each domain using ADSI Edit before running the setup tool to configure profiles. 4.4 Understanding the ldapux_client.conf configuration file When you set up LDAP-UX, the /etc/opt/ldapux_client.conf file is automatically created to specify where the directory is located, the profile data path, and the logging configuration.
file will have the “local” section immediately followed by the “gc” section. Any remote domain sections in the file after the "gc" section are remote domains in the forest you configure. They are only used by LDAP-UX to download profiles from the server, and will be ignored by LDAP-UX for the multiple domain search scope. 4.5 Resolving duplicate entries In the Windows 2003 R2 or 2008 environment, a user account can exist in multiple domains.
4.6 Changing multiple domain configurations The following sections explain how to modify your multiple domain configuration. 4.6.1 Removing a remote domain from the search scope If you originally configure several remote domains without configuring the GCS, and you want to exclude a domain from the search scope, perform one of the following options: • Run the setup tool, /opt/ldapux/config/setup, to reconfigure multiple domains and exclude the one you want to remove.
uidNumber Used by getpwuid() gidNumber Used by getgrgid() To add these attributes to the global catalog: 1. On your Windows 2003 R2 or 2008 GCS, click Start, then Run. In the open dialog box, enter regsvr32 schmmgmt.dll. This makes the Active Directory Schema option available in the snap-in dialog box; you will select this option in a subsequent step. 2. Click Start, then Run. In the open dialog box, enter mmc, then click OK. This enables access to the Group Policy Microsoft Management Console. 3.
5 LDAP printer configurator support This chapter contains information describing how LDAP-UX supports the printer configurator, how to set up the printer schema, and how to configure the printer configurator to control its behaviors. 5.1 Overview Management of network printing is complex, and printers themselves are more complicated. Instead of having printer configuration and information scattered over client systems and printer servers, they can be stored and managed from a single repository.
When ldapclientd is initialized, it will enable the printer configurator services at the same time. Once the printer configurator is up, it periodically searches for any existing printer entries in the LDAP Direcotry Server based on predefined search filters. If there are any printer entries in the LDAP directory server, the printer configurator will extract the LP printer configuration from each printer entry.
NOTE: The system administrator manually adds or removes printers to the HP-UX system. The LDAP Printer Configurator will only add or remove printers that it has discovered in the LDAP directory according to the search filter defined for the printer. Figure 12 Printer configurator architecture with an HP directory server Directory Server *New Printer Schema *Printer Entries dn: printer-name: laser2,ou=printers,dc=hp,dc=com printer-name: laser2 printer-uri: lpd://hostA.corp.hp.
5.3 Printer configuration parameters The LDAP-UX Client Services provides four printer configuration parameters, start, search_interval , max_printers and lpadmin_option available for you to customize and control the behaviors of the printer configurator. These parameters are defined in the ldapclientd.conf file. For detailed information on these new parameters, see “Administering LDAP-UX Client Services” (page 182). 5.
5.4.2.1 Printer attributes With the printer schema in the Windows Active Directory Server, you are able to create printer objects for the LP printer configuration. The minimum information for a printer object entry is the local printer name, remote host name, and the remote printer name. The remote host name is the system or device that the remote printer is connected to. The remote host name must be the fully qualified name. 5.4.2.1.
printer-color: lpd://hostA.hp.com/lj2006 Printer attribute mappings To enable the LDAP printer configurator support, you must run the setup program to perform the attribute mappings and search filter changes. The tasks include the following: • Remap the default group attributes, printer-name and printer-uri to the alternate printer attributes respectively. The attribute mappings are done in step 23 of Section 3.4.6.2 (page 139) in Section 3.4.6 (page 138).
printer-uri: lpd://hostA.cup.hp.com/lj2004 printer-location: Engineering Lab printer-model: Hewlett Packard laserjet Model 2004N printer-service-person: David Lott Windows ADS environment example dn: printer-name=laser2,ou=printers,dc=hp,dc=com printerbyname: laser2 printer-resource: lpd://hostA.hp.com/lj2004 printer-location: Engineering Lab printer-model: Hewlett Packard laserjet Model 2004N printer-service-person: David Lott Example 3: The system hostA.hp.com is retired.
printer-location: Engineering Lab printer-model: Hewlett Packard laserjet Model 2004N printer-service-person: David Lott Example 5: The administrator created a new printer object in the directory server as shown in the examples that follow. The printer configurator adds a new remote LP laser8 printer configuration to the client system. However, if the user attempts to remove the laser8 printer configuration manually, the printer configuration will no longer be managed by the printer configurator.
6 Dynamic group support This chapter contains information about how LDAP-UX Client Services supports dynamic groups, how to set up dynamic groups, and how to enable or disable dynamic group caches. 6.1 Overview A system administrator can associate some users with a group, and apply security policies (such as access control and password policies) to the group. As a result, all users belonging to the group inherit the specific policies, such as being able to access a file.
http://www.hp.com/go/hpux-security-docs Click HP-UX Directory Server. The following shows an example of a dynamic group entry created using the Directory Server Console. The definitions of the memberURL attribute and the groupOfURLs object class are shown in bold type.
objectClass: groupofurls objectClass: posixgroup objectClass: top cn: dyngroup memberURL: ldap:///dc=example,dc=hp,dc=com??sub?(l=California) gidNumber: 500 6.2.2 Creating an HP-UX POSIX dynamic group in a Windows ADS environment To create an HP-UX POSIX dynamic group in a Windows 2003 R2 or 2008 ADS environment, use Authorization Manager. Authorization Manager creates an LDAP query group, which defines group members by specifying a query (such as a search filter) using the attribute msDS-AzLDAPQuery.
6.2.2.2 Step 2: Adding POSIX attributes to a dynamic group Use ADSI Edit to add the following attribute (including POSIX group ID information) to the dynamic group entry created in the preceding step. • GidNumber attribute for Windows 2003 R2 or 2008 ADS Example dynamic group entry The following shows an example that includes the last three lines of the HP-UX POSIX dynamic group entry for a Windows 2003 R2 or 2008 ADS. The GidNumber information added to the dynamic group entry is shown in bold type. . . .
For detailed information on how to use the Directory Server Console to modify a group, see the HP-UX Directory Server administrator guide available at: http://www.hp.com/go/hpux-security-docs Click HP-UX Directory Server.
6.3 Multiple group attribute mappings By default, LDAP-UX uses the memberUid attribute to retrieve group members. With the support of X.500 group member syntax, you can map the default group attribute memberUid to member or uniquemember (or to both), specifying group members using user DNs.
PASSWD Service Configuration Attribute: ---------name: uid number: ..... Search Descriptor search[0]: is mapped to: -------------uid uidnumber dc=example,dc=hp,dc=com?sub? (objectclass=posixaccount) Sample group entry in HP directory server environment In an HP directory server environment, the following is a sample group entry associated with the passwd service configuration shown in the preceding example of /opt/ldapux/config/display_profile_cache output.
DC=com msDS-AzLDAPQuery: (cn=p*) To return dynamic members, LDAP-UX searches the tree dc=hp,dc=com, and finds the POSIX entries whose cn starts with p* (that is, using the search filter "(&(objectclass=user)(uidNumber=*)(cn=p*))" ). 6.4 Number of group members returned With dynamic membership support, as with regular (static) group membership support, the number of group members for a specific group returned by getgrnam()/getgrgid()/getgrent() on an HP-UX system is limited by internal buffer sizes.
6.6 Performance impact for dynamic groups The dynamic group is specified by either an LDAP web address or a search filter. Depending on how you configure dynamic groups, there could be a lot of LDAP searches involved. In that case, the performance of those applications calling getgrnam(), getgrgid(), or getgrent() (for example, the commands id, groups, and so forth) will be affected. For more information about these commands, see their manpages (getgrname(3), getgrgid(3), getgrent(3)).
7 Administering LDAP-UX Client Services This chapter describes how to keep your clients running smoothly and how to expand your computing environment. 7.1 Managing the LDAP-UX client daemon This section describes the following: • Overview of ldapclientd daemon operation • Configurable parameters and syntax in the ldapclientd configuration file, ldapclientd.conf • Command line syntax and options for the ldapclientd command 7.1.
7.1.2.2 Controlling the client Use the following syntax to control the client daemon: /opt/ldapux/bin/ldapclientd <[-d ] [-o]> /opt/ldapux/bin/ldapclientd <[-D ]|-E |-S [cache]> /opt/ldapux/bin/ldapclientd <-f| -k| -L| -h| -r> 7.1.2.
Message: Problem reading configuration file. • An attempt was made to start or control ldapclientd without superuser's privileges. • The ldapclientd daemon process is too busy with other requests to respond at this time. Try again later. Meaning: The /etc/opt/ldapux/ldapclientd.conf file is missing or has a syntax error. If syntax is the problem, the error message will be accompanied by a line showing exactly where it could not recognize the syntax or where it found a setting that is out of range. 7.
• automount • automountMap • printers2 setting This will be different for each section. value Depending on the setting, this can be . NOTE: ldapclientd uses the default values for any settings that are not specified in the configuration file. 7.1.3.1.1 Section details Within a section, the following syntax applies: [StartOnBoot] Determines if ldapclientd starts automatically when the system boots.
The default value is 600 (10 minutes). cache_size=<102400-1073741823> The maximum number of bytes that should be cached by ldapclientd for all services except dynamic_group. This value is the maximum, upper limit, of memory that can be used by ldapclientd for all services except dynamic_group. If this limit is reached, new entries are not cached until enough expired entries are freed to allow it. The default value is 10000000.
Some applications, like /opt/ssh/bin/ssh, use ldapclientd to access information in the directory server, such as the sshPublicKey for users and hosts. By setting this parameter, applications can access any defined attribute even if the proxy_is_restricted value is set to no (the default). There is no internal default set for this parameter.
and membership information. This cache is maintained in a independent memory space not shared with the cache for other maps. enable= ldapclientd only caches entries for this section, when it is enabled. Since this impacts LDAP-UX client performance and response time, caching is enabled by default. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache. If group caching is enabled, this value must be greater than poscache_ttl of [group].
Determines whether the long-term cache should support enumeration. The default value is no. longterm_enum_search_interval=<0-2147483647> The time interval, in seconds, after which the HP-UX client has the directory server refresh the enumeration cache. The default value is 86400 seconds (1 day). [netgroup] Cache settings for the netgroup cache. enable= ldapclientd only caches entries for this section when it is enabled. By default, caching is enabled.
The time, in seconds, before a cache entry expires from the negative cache. The default value is 86400 (24 hours). [domain_grp] This cache maps group names and GUIDs to the domain holding its entry. enable= ldapclientd only caches entries for this section, when it is enabled. By default, caching is enabled. poscache_ttl=<0-2147483647> The time, in seconds, before a cache entry expires from the positive cache.
The time, in seconds, before a cache entry expires from the negative cache. The default value is 7200 (2 hours). [printers] Any printer setting defined here will be used by the LDAP printer configurator. start= Determines if the printer configurator service will start when ldapclientd is initialized. If it is enabled, the printer configurator will start when ldapclientd is initialized. By default, the start parameter is enabled.
# Example: # # [passwd] # enable=yes # poscache_ttl=600 # negcache_ttl=600 # # Note that "TTLs" (time to live) values are in seconds. # Note that cache sizes are in bytes. # [StartOnBoot] enable=yes [general] # If the proxy user is used and defined in /etc/opt/ldapux/pcred, this # flag indicates if the proxy user does not hold privileged LDAP # credentials, meaning the proxy user is restricted in it's rights to # access "private" information in the directory server.
# # A state, a virtual connection between the client and LDAP server, # is created for the setXXent() request, and stays for the subsequent # getXXent() requests. If no getXXent() requests are received in the # specified time interval (seconds), the state will be removed. state_dump_time=300 # # Maximum number of states ldapclientd allows. "States" are the number # of enumerations ldapclientd will handle simultaneously. This number # must be less than max_conn and it is configured as % of max_conn.
#longterm_enum_search_interval=86400 [printers] # Define the status of the printer configurator when ldapclientd starts. # Option "yes" means the printer configurator service will be activated # when ldapclientd starts. "no" means the printer configurator will be # disabled when ldapclientd starts. Default is "yes". start=yes # Define the maximum printer objects that the printer configurator service # will handle. The value must be greater than 0. # Default value is 50.
disabled. This flag is defined as the initial_ts_auditing parameter in the /etc/opt/ ldapux/ldapux_client.conf file. • You must manage Trusted Mode attributes for all accounts on each host. Trusted Mode attributes for LDAP-based accounts are not stored in the LDAP directory server. For example, enabling auditing for an account on host A does not enable auditing on host B. • Audit IDs for LDAP-based accounts are unique on each system.
7.2.2.4 Limitations • The authck -d command removes the /tcb/files/auth/... files created for LDAP-based accounts. When the LDAP-based account logs into the system again, a new /tcb/files/ auth/... file with new audit ID is recreated. Therfore, it is not recommended to run the authck -d command when you configure LDAP-UX with Trusted Mode. • You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based accounts.
7.3.1 How SASL/GSSAPI works Figure 14 SASL/GSSAPI environment KDC Server AS 1 2 TGS 3 4 5 Windows Active Directory LDAP-UX Client Services 6 The following describes how LDAP-UX binds a client using SASL/GSSAPI to the directory server shown in Figure 14: 1. The LDAP-UX Client Service sends the principal name and password to the Authentication Server (AS). 2. The AS validates the principal and sends a Ticket Granting Ticket (TGT) and associated session key to the LDAP-UX Client Services.
Keytab name: FILE:/etc/krb5.keytab Principal -------------------------------------------1 ldapux/hpntc10.cup.hp.com@HP.COM 1 host/hpntc10.cup.hp.com@HP.COM 7.3.2.3 Configuring a principal as the proxy user The following describes three different ways to configure a principal as the proxy user: • Configure a user principal: Use ldap_proxy_config -i (or use the -d and -c options) to enter a Kerberos user principal and its credential (password).
krb5.conf file” (page 434)). If there is no default keytab file configured in /etc/krb5.conf, then the keytab file /etc/krb5.keytab will be used. Each service principal must have a service key known by every domain controller, which also acts as a KDC. Use the ktpass tool to create the keytab file and set up an identity mapping the host account. The following is an example showing how to run ktpass to create the keytab file for the HP-UX host myhost with the KDC realm cup.hp.
The PAM framework, together with the PAM_AUTHZ service module (which is defined in the PAM_AUTHZ library known as libpam_authz) supplied with LDAP-UX Client Services, provide support for account management services. These services enable the administrator to control who can log in to the system based on netgroup information found in the /etc/passwd and /etc/ netgroup files.
Figure 15 PAM_AUTHZ environment 1 PAM-enabled application 2 Policy configuration file 5 7 3 PAM_AUTHZ 6 Authentication modules, for example: PAM_KERBEROS PAM_LDAP 4 LDAP_UX client daemon ldapclientd /etc/group /etc/netgroup LDAP directory server The following describes the PAM_AUTHZ policy validation process for the user login authorization shown in Figure 15 (page 201): PAM_AUTHZ environment 1. The administrator defines access rules and saves them in a local access policy configuration file. 2.
For more information on how to configure access rules in the access policy configuration file, set global policy access permissions, and configure the pam.conf file for security policy enforcement when using ssh key pair or r-commands, see Section 7.4.10 (page 210). 7.4.3.
For a sample pam.conf file configured to define an access policy file for security enforcement, see Section D.5 (page 430) (for an HP directory server environment) and Section D.6 (page 432) (for a Windows ADS environment). LDAP-UX Client Services provides a sample configuration file, /etc/opt/ldapux/ pam_authz.policy.template. This sample file shows you how to configure the policy file to work with PAM_AUTHZ.
Now assume that the user6 user has the attribute status set to active, reports to Joeh, the user's job is related to marketing and has a hostname attribute with the returned value HostSrv in the user's entry in the LDAP directory. PAM_AUTHZ starts to validate login access for user6 by evaluating all the access rules defined in the access policy file. The second rule is evaluated to be true, but since the action assigned to this rule is required, processing continues with the next rule.
Table 18 Field syntax in an access rule (continued)
allow This option indicates that a user is granted the login authorization. deny This option indicates that a user is denied the login authorization. required If the rule evaluates to false, this option indicates that a user is denied login authorization; if the rule evaluates to true, the option indicates processing should continue to the next rule.
Controls access permission using NIS-style escapes in /etc/passwd. This is identical to the default behavior of PAM_AUTHZ when there is no access policy file present. The passwd_compat type supports only status or required in the action field, and anything specified in the
7.4.8 Static list access rule When the value in the field is one of unix_user, unix_group, netgroup, ldap_group, the rule is evaluated using a list of predefined values in the
NOTE: Beginning with version 5.0 of the product, LDAP-UX Client Services supports integrated Compat Mode to control which users are visible on a host, where the user accounts are referenced by netgroups specified in the /etc/passwd file. For more information, see Section 2.5.5 (page 102). This feature is not supported when using LDAP-UX Client Services with Windows ADS. ldap_group This option specifies that an access rule is based on the nonPOSIXGroup membership.
TERMINAL Returns the terminal type of the computer from which the user attempts to log on. For example, /dev/pts/0. Some applications (such as ssh or remsh) do not pass the terminal dynamic variable value to PAM_AUTHZ. TIMEOFTHEDAY Returns the current time of the computer system from which the user attempts to log on. For example, 20061015125535Z represents October 15, 2006 at 12:55 and 35 seconds GMT. TIMEOFTHEDAY follows the “UTC Time” syntax as described by RFC4517.
PAM_AUTHZ will call the in the library specified by the field. PAM_AUTHZ returns the value which is one of the PAM return codes described in Section 7.4.10.5 (page 214). This access rule consists of the following three fields: :: The following describes each field: action When the status option is specified, PAM_AUTHZ returns whatever in the returns, which is one of the PAM return codes.
NOTE: If the status:rhds:check_ads_policy access rule is configured in the access policy file, you must perform the following tasks: • Define the allow:unix_local_user access rule in the access policy file to allow the local user to log in. • Since the status:rhds:check_ads_policy access rule is guaranteed to match and return a PAM return code, HP recommends that you define the status:rhds:check_ads_policy access rule at the end of the access policy file.
You can allow access to the Group Policy Object attributes in Windows ADS using the Active Directory Users and Computers control panel. For more information, refer to your Microsoft Windows documentation or the help topics provided by the Active Directory Users and Computers control panel. Advanced administrators with intimate knowledge of Windows ADS and security policy can also view and modify the attributes by using ADSI Edit. 7.4.10.
For Windows ADS, PAM_AUTHZ performs the following: • Determines whether an account is activated • Determines the hours (time of day) during which the user is allowed to log on to the domain • Determines whether an account password must be changed • Determines whether an account is locked • Determines whether the password has expired 7.4.10.
Table 19 Global security attributes supported for an HP directory server (continued) Attribute Description passwordMustChange This boolean attribute indicates whether users must change their passwords when they first bind to the directory server or when the password has been reset by the Directory Manager. nsslapd-pwpolicy-local Turns fine-grained (subtree and user level) password policy on or off.
Table 21 Security policy status attributes supported for an HP directory server Attribute Description nsAccountLock This boolean attribute indicates whether an account is locked. If this attribute does not exist, the account is considered unlocked. passwordRetryCount This integer attribute specifies the number of consecutive failed attempts at entering the correct user password. passwordExpirationTime This string attribute defines a date and time when a password is considered expired.
Table 22 Security policy status attributes supported for a Windows Active Directory Server (continued) accountExpires This integer attribute specifies the time when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires. lockoutTime This integer attribute specifies the date and time (UTC) that this account was locked out.
3. 4. On all clients that are to use the new controller, edit the startup file /etc/opt/ldapux/ ldapux_client.conf to refer to the new domain controller and the new profile. Modify the PROFILE_ENTRY_DN line as described under Section 7.10.4 (page 246). Modify the LDAP_HOSTPORT line to specify the domain controller server. Download the new profile from the new domain controller, as described in Section 3.5.6 (page 158). 7.
Use of the ldapugadd, ldapugmod and ldapugdel tools requires specification of LDAP administrator credentials with sufficient privilege to perform the requested operations in an LDAP directory server. Specification of these credentials can be done through the LDAP_BINDDN and LDAP_BINDCRED environment variables or an interactive prompt (-P) option.
The ldapcfinfo tool can provide the following information by examining LDAP UG template files, LDAP UG configuration file or the LDAP-UX configuration profile: ◦ Determine if the LDAP-UX is properly configured and active ◦ Discover the current LDAP User and Group (UG) configuration defaults, such as home directory and login shell ◦ Discover the distinguished name (DN) of the LDAP-UX configuration profile and the directory server name that stores that profile ◦ Discover search filter, search base or s
dn: cn=Mike Lee,ou=people,dc=example,dc=com cn: Mike Lee uid: mlee uidNumber: 900 gidNumber: 2000 loginShell: /usr/bin/sh homeDirectory: /home/mlee gecos: mlee,Building-5,555-555-5555 dn: cn=Michael Sheu,ou=people,dc=example,dc=com cn: Michale Sheu uid: msheu uidNumber: 880 gidNumber: 2010 loginShell: /usr/bin/sh homeDirectory: /home/msheu gecos: msheu,Building-8,555-555-5000 dn: cn=Pat Fong,ou=people,dc=example,dc=com cn: Pat Fong uid: pfong uidNumber:750 gidNumber: 2000 loginShell: /usr/bin/sh homeDirecto
memberUid: user1 memberUid: user3 memberUid: user5 Displaying group entries that include a specified member To list all the posixGroup entries that Mike Phillips belongs to, enter the following command: cd /opt/ldapux/bin .
directory server, along with two default template files for Windows Active Directory Server. These template files can be found in the /etc/opt/ldapux/ug_templates directory. For detailed information on how to define template files and how to name and create template files, see Section 9.3.5.6 (page 306). NOTE: The LDAP-UX Client Services provides two default template files to work with Windows 2003 R2 or 2008 Active Directory Server.
./ldapugadd -t passwd -PW -f "Mike Tam" -g 200 mtam surname="Tam" The command adds an account entry for user mtam, with the user's primary login group id being 200. The ldapugadd tool creates the password for the new user, using the user password specified in the LDAP_UGCRED environment variable. After creating the user entry, ldapugadd attempts to add this user as a member of group number 200. To display the new user entry mtam, enter the following command: .
gecos[cn]: Tom Sheu gecos[l]: Building-1A gecos[telephone]: 555-555-5555 Command arguments The following are the options and arguments used in the preceding examples of the ldapugadd command: -t Specifies the type of entry the ldapugadd tool operates. can be passwd or group. The passwd type represents LDAP user entries that contain POSIX account-related information. The group type represents LDAP group entries that contain POSIX group-related information.
Command arguments The following describes the command arguments and options used in the preceding command example: -M Defines initial group membership by adding the specified user accounts as members. -g Specifies the group ID number for the new group. Required argument. Specifies the POSIX style group name for the new group entry. 7.7.1.3.3 Modifying defaults in /etc/opt/ldapux/ldapug.
-g Specifies the default group ID number used when creating new user entries. -g : Sets new default minimum and maximum ranges that ldapugadd uses when provisioning a GID number for new group entries. -s Specifies the default login shell that ldapugadd uses when creating a new user entry. -s Specifies the default parent home directory that ldapugadd uses when creating a new user home directory. 7.7.1.
Command arguments The following describes arguments and options used in the preceding examples for the ldapugmod -t passwd commands: -PW Sets the user or group password attribute. If you specify -PW, you must specify either the LDAP-UGCRED environment variable or the -PP option. -A Specifies an attribute and value to be added to a user or group entry.
gidNumber: 350 MemberUid: tlee Description: Group B Entry Description: Best group in the world Adding members to a group entry The following command adds the three members atam, mlou, and mscott to the group entry groupA: ./ldapugmod -t group -a atam,mlou,mscott GroupA Removing members from a group entry The following command removes member atam from the group entry, groupA: .
• gidNumber • loginShell • gecos Accessing either an HP or Windows server, the ldapugdel -t group -O command removes the posixGroup object class and following attributes: • gidNumber • memberUId • userPassword Use LDAP_BINDDN to specify the distinguished name (DN) of a user with sufficient directory server privilege to delete users or groups in the LDAP directory server. Use LDAP_BINDCRED to specify a password for the LDAP user specified by LDAP_BINDDN.
use the -D option to specify the distinguished name (DN) of the entry being deleted. You may specify only one of -D, or parameters on the command line. 7.7.1.7 Examining the LDAP-UX configuration The ldapcfinfo tool provides several capabilities used to report LDAP-UX configuration and status.
ug_passwd_ads.tmpl files are currently available on the system, the output of the preceding command would be as follows: /etc/opt/ldapux/ug_templates/ug_passwd_ads.tmpl /etc/opt/ldapux/ug_templates/ug_passwd_std.tmpl /etc/opt/ldapux/ug_templates/ug_passwd_default.tmpl As another example, the following command displays a list of available template files that ldapugadd uses to add a group entry for the group name service: ./ldapcfinfo -t group -L If the /etc/opt/ldapux/ug_templates/ug_group_std.
./ldapcfinfo -P Example command output for an HP directory server dn: cn=ldapux-profile,ou=org,dc=example,dc=com host: 55.5.55.15:389 If SSL is required to download the profile, the output would appear as follows: dn: cn=ldapux-profile,ou=org,dc=example,dc=com hostssl: 55.5.55.15:636 Example command output for a Windows ADS dn: cn=ldapux-profile,cn=system,dc=org,dc=example,dc=com host: 55.5.55.
7.7.1.7.8 Displaying attribute mapping for a specific name service To display attribute mapping information defined in the LDAP-UX configuration profile, use the ldapcfinfo -t -m command. The valid value can be passwd or group. For example, the following command displays the attribute mapping for the gecos attribute that is mapped to the cn, l, and telephone attributes: .
9. To change group attributes: a. Click the container of the group for which you want to set POSIX attributes. b. Click the group and select Properties from the Action menu. 10. To create an object (rpc, services, and so on): a. Click the container of the object you want to create, click the Action menu, select New , and click on Object. b. Select the Object Class ( )unixIpNetwork, unixIpProtocol, unixIpService, or unixOncRpc, and provide the mandatory attribute values and object will be created. c.
a different location, or might not be defined at all (using defaults). You can use the ldapcfinfo tool to determine where LDAP-UX believes host information should be located. For example: # /opt/ldapux/bin/ldapcfinfo -t hosts -b ou=Hosts,dc=mydomain,dc=example,dc=com Before adding any hosts to the directory server, verify that the base DN discovered in the previous example is defined to the proper location in the directory server tree.
7.8.2 Modifying a host Use the -m option of ldaphostmgr to modify existing host entries. If neither -a, -m, nor -g is specified, -m is assumed. In the -a and -m modes, ldaphostmgr can be used to add, change, or remove arbitrary attributes. You can manage some attributes using ldaphostmgr command-line options; for example, use -k to manage the host’s ssh public key, and -i to manage the host’s IP address.
ipHostNumber: 16.92.96.116 dn: cn=baker,ou=Hosts,dc=mydomain,dc=example,dc=com cn: baker ipHostNumber: 16.89.146.146 CAUTION: If you used guided installation to configure LDAP-UX on a host, removing that host entry also removes the proxy user defined for that host. Removing the host’s proxy user entry disables the ability of the OS to use LDAP as an OS management repository.
To remove an IP address for a host, use the -i option with the ! flag in front of the IP address to be removed. For example, to remove the address added in the previous example: # ldaphostmgr -i !192.168.10.10 brewer bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]: Password: # ldaphostlist -n brewer dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com cn: brewer ipHostNumber: 16.92.96.113 To remove all IP addresses for a host, use the -i option with the ! flag by itself.
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com]: Password: # ldapuglist -t group -P -F "(cn=dbhosts)" uniqueMember bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com]: Password: dn: cn=dbhosts,ou=groups,dc=mydomain,dc=eample,dc=com cn: dbhosts uniqueMember: cn=baker,ou=Hosts,dc=mydomain,dc=eample,dc=com uniqueMember: cn=chef,ou=Hosts,dc=mydomain,dc=eample,dc=com To remove a host from a group, use the ! flag in front of the host name: # ldaphostmgr -G !dbhosts baker bind-dn [uid=doma
entityRole: DBSERVER dn: cn=raptor,ou=Hosts,dc=mydomain,dc=eample,dc=com cn: raptor ipHostNumber: 16.92.96.215 objectClass: top objectClass: device objectClass: ldapPublicKey objectClass: iphost objectClass: domainEntity owner: uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxe1... entityRole: DBSERVER 7.8.
determine if it is safe to request arbitrary attributes from the directory server. ldaphostlist assumes that the directory server has defined proper access control limits such that confidential or private information cannot be viewed by the proxy user. The [general] section of the client daemon configuration file (ldapclientd.conf) controls this behavior: ...
1. Add the new proxy user to your directory with appropriate access controls. For information about adding a new proxy user to your directory, see the steps "Create a proxy user" and "Set access permissions for the proxy user" in Section 2.4.4 (page 65). For Windows ADS, additional steps are required to set up the HP-UX host as a Kerberos service principal in the Windows domain. When you create a proxy, use either a user or service principal as the proxy user. A Kerberos keytab file contains principals.
7.9.4 Changing from anonymous access to proxy access This section does not apply to Windows ADS. Your directory administrator may decide to change the directory server security policy and disallow anonymous access to data hosted on the server. In this case, you would need to add a proxy user and change the configuration profile to require proxy access. If you have anonymous access and you want to change to using a proxy user, do the following: 1. 2. 3. Create the proxy user in the directory.
cd /opt/ldapux/config ./display_profile_cache You can also find out from where in the directory the client downloaded the profile by displaying the file /etc/opt/ldapux/ldapux_client.conf and looking for the line beginning with PROFILE_ENTRY_DN, for example: ldapcfinfo -P dn: cn=example-ldapuxProfile,ou=Services,ou=Configuration,dc=example,dc=acme,dc=com hostssl: 192.192.96.116:389 You can also find the profile location by using the following command: /opt/ldapux/bin/ldapcfinfo -P 7.10.
7.10.3 Creating a new configuration profile To create a new profile, run /opt/ldapux/config/setup. When setup asks you for the distinguished name (DN) of the profile, give a DN that does not exist and setup will prompt you for the parameters to build a new profile. The setup program also configures the local client to use the new profile. Alternatively, you could use your directory administration tools to make a copy of an existing profile and modify it.
Click HP-UX LDAP-UX Integration Software. 7.12.1 Reducing the performance impact of enumeration and search requests The advantage of a directory server over flat files for naming and authentication services is its design for quick access to information in large databases. Still, with very large databases, administrators, and users should be aware of the following performance impacts. 7.12.1.
6. At the ldap policies: prompt, enter the set maxpagesize to command, where the is the maximum number of search objects that you want the Active Directory to return for a search, and then press Enter. 7. At the ldap policies: prompt, enter the set maxqueryduration to
or because they are malfunctioning. For example, if a file is created with a group ID that does not exist, every time a user displays information about this file, using the ls command, a request to the directory server will be generated. The ldapclientd daemon currently supports caching of passwd, group, netgroup and automount map information. The ldapclientd daemon also maintains a cache that maps user accounts to LDAP DNs.
Table 23 Benefits and side effects of caching (continued) Service (map) name Benefits netgroup (not supported with Windows netgroups can be heavily used for determining network file system access ADS) rights or user login rights. Caching this information greatly reduces this impact Example side-effect Similar to groups, since netgroups are used to control access to resources, modification of these rights might not appear until after cache information has expired.
tear-down can cause relatively severe delays for client response. However, a persistent connection to the directory server will eliminate this delay. In the ldapclientd daemon, a pool of active connections is maintained to serve requests from NSS. If the NSS needs to perform a request to the directory server, one of the free connections in this pool will be used. If there are no free connections in the pool, a new connection will be established, and added to the pool.
TIP: Enable LDAP logging only long enough to collect the data you need because logging can significantly reduce performance and generate large log files. You could move the existing log file and start with an empty file: mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.save Restart the syslogdaemon with the following command (for more information about this command, see the see the syslogd(1M) manpage): kill -HUP 'cat /var/run/syslog.pid' 7.13.
TIP: Because logging can significantly reduce performance and generate large log files, enable PAM logging only long enough to collect the data you need. You could move the existing log file and start with an empty file: mv /var/adm/syslog/debug.log /var/adm/syslog/debug.log.save Then restore the file when finished. Restart the syslog daemon with the following command: kill -HUP 'cat /var/run/syslog.pid' 7.13.
In this command example, servername is the name of the directory server, baseDN is the base distinguished name of where to start searching, userDN is the DN of the user who cannot log in, and username is the login name of the user. Determining the policy management status for a Windows ADS user Similarly, for Windows ADS, enter the following commands: cd /opt/ldapux/bin ./ldapsearch -h servername -b "baseDN" \ unixName=username -D userDN -w passwd .
If you do not see such output, your proxy user might not be configured properly. Make sure you have access permissions set correctly for the proxy user. For more information about configuring the proxy user, see Section 2.4.4 (page 65). You can also try binding to the directory as the directory administrator and reading the user's information.
loginShell: /bin/ksh unixHomeDirectory: /tblv006/home/biljonz unixName: biljonz syncNisDomain: cup uidNumber: 467 If you do not get similar output, your proxy user might not be configured properly. For more information about configuring the proxy user for a Windows ADS, see Section 3.4.5 (page 135).
• Enable PAM logging as described in Section 7.13.2 (page 252) then try logging in again. Examine the PAM logs for any unexpected events. • Enable LDAP-UX logging as described in Section 7.13.1 (page 251), then try logging in again. Examine the log file for any unexpected events. 7.
8 Managing ssh host keys with LDAP-UX (HP directory servers only) Managing ssh host keys with LDAP-UX is supported in HP directory server environments only. LDAP-UX B.05.00 introduces management of host attributes in the directory server. One of the features integrated with host management is using an LDAP directory server as a trusted repository for a host’s ssh public key. ssh is a great protocol for both protecting data in transit (using encryption), and for validating trust between two parties.
Figure 16 ssh host key management infrastructure LDAP Server Host A LDAP-UX Host A Host B ssh key ssh key Host B ldaphostmgr sshd ssh ssh key The LDAP directory server includes an SSL certificate. The LDAP-UX library of Host A has a copy of that certificate. When ssh attempts to validate the public key of the remote host Host B, it connects through a library in LDAP-UX. LDAP-UX is configured to securely communicate with the LDAP directory server and to discover keys for the requested hosts.
and the HP-UX Directory Server, setting up this trust framework is nearly automatic (for more information about this trust framework, see Section 2.3.2.3 (page 37)). When using the guided installation, LDAP-UX generates a server certificate software depot file. This depot file can be installed on each host being managed, and once installed, will establish trust with that central directory server.
8.1.3 Permissions The LDAP-UX host management tool (ldaphostmgr), which is used to manage ssh public keys in the directory server, manipulates the aforementioned object classes and attributes. This tool relies on the directory server to provide proper access control. To assure that only authorized modifications to the host and public key information is performed, only a restricted set of privileged users should be allowed to modify host information, including the sshPublickKey attribute.
• Define authentication and access control, such that a limited set of privileged users will have the ability to manage host and ssh key data in the directory server. • Install a CA or server certificate in the /etc/opt/ldapux/cert8.db file. This can be done using /opt/ldapux/bin/certutil, or by installing the auto-generated LDAP-UX domain CA depot (created with the guided installation). • Configure LDAP-UX on all host clients.
Trusting the ssh key repository requires that the identity of the directory server can be validated, the data in the directory server cannot be modified by unauthorized users, and the data transmitted between the client and the directory server is protected. The following three sections describe how to establish this trust. 8.2.
be used to define this policy. The following example shows how anyone listed as an owner of a host, a Domain Administrator, or host administrator is allowed to modify the sshPublicKey attribute. This ACI is automatically created if you create a new directory server instance using the guided installation. dn: dc=mydomain,dc=example,dc=com aci: (targetattr = "*")(version 3.
extend their accounts with POSIX attributes. The following example shows how to extend posixAccount attributes to an existing user: Example 14 Extending administrator accounts with posixAttributes 1. Identify the account to extend: # /opt/ldapux/bin/ldapuglist -F "(cn=bob alison)" \* dn: cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com cn: Bob Alison gecos: Bob Alison,+1-303-555-5432 2.
8.3.1 Configuring ssh and sshd to use LDAP-managed keys On each HP-UX client that is to use LDAP-based ssh public keys, you must install version A.05.50 or later of the HP Secure Shell product and LDAP-UX version B.05.00 or later. HP Secure Shell A.05.50 or later is enabled to use the LDAP directory server for public key validation and is dependent on APIs provided in LDAP-UX B.05.00. You must configure the ssh toolset to use LDAP.
If you did not configure LDAP-UX on the current host using the guided installation, you might not have an entry in the directory server that represents the current host.
fingerprint: b4:2f:45:c2:b0:17:a2:7b:a0:a7:88:61:a9:36:f2:4c. The SSH key for the remote host is unknown and is not trusted. If you remotely log in to the host, and can positively identify the host, you can add the host using ldaphostmgr as originally demonstrated. Or, if you have the ssh public key of the remote host in a local known_hosts file, the preceding message is not displayed. If you can positively identify the fingerprint of the remote host, you can answer yes (y) to the WARNING message.
NOTE: Because this script runs in batch mode, you must specify the LDAP host administrator’s credentials in the LDAP_BINDDN and LDAP_BINDCRED environment variables before running the script (or, alternatively, use the -E option to specify those values in a file.
Your public key has been saved in /opt/ssh/etc/ssh_host_rsa_key.pub. The key fingerprint is: ab:92:ec:71:8e:24:b9:5e:b9:1e:26:60:50:84:b9:bb root@chef The key's randomart image is: +--[ RSA 4096]----+ | +o | |o. | |.. | |o | |.o S | |o. . . . | | .+.B.. . | |E B+B . | | .oo=.o | +-----------------+ # ldaphostmgr -k /opt/ssh/etc/ssh_host_rsa_key.
In this example, you must verify the fingerprint for the key before adding it to the directory server. A alternative way to change a remote key is to securely obtain the public key file for the remote host and upload it using the file option as shown in the first example of Section 8.3.2 (page 266), but without specifying the -a option. 8.3.8 Revoking or removing keys If a key has been compromised, and you want to revoke it and reissue a new key, use the previously described process for changing keys.
how to set a key that should be considered expired in 2 years. If the key already exists in the directory server, you are prompted to replace it with a new key, if you so choose.
chef (): /opt/ldapux/bin/ldapentry -m "$profiledn" Press to accept default Directory login: "uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com" Directory login: Default accepted. "uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com" password: You are then placed in an editor window, where you can add a central configuration policy.
checkhostip yes ### ### ### ### ### CCD NOTE: The following keyword-argument pairs are configured in LDAP server. If you want to add local configurations to this file, add above the "CCD NOTE" line. Anything added manually below this line will be gone at next LDAP update. # Keyword-argument pairs defined in LDAP server global entry: updatekeyfromldap no useldaphostkey yes The central configuration service (ldapconfd) can be used to centrally manage other ssh and sshd parameters.
is not available on all platforms. To enable a heterogeneous data center to participate in central ssh key management, you might need to distribute keys to nonHP-UX hosts. The following is a sample script that, with platform dependent modifications, can be used to periodically retrieve an update public key list to store in the host’s ssh_known_hosts file. It could be run as a periodic “cron” job (see the crontab(1M) manpage). A perl script is required to help parse the LDAP host entries.
9 Command and tool reference This chapter describes the commands and tools associated with the LDAP-UX Client Services. 9.1 The LDAP-UX Client Services components The LDAP-UX Client Services product, comprising the components listed in Table 24, can be found under /opt/ldapux and /etc/opt/ldapux, except where noted. LDAP-UX Client Services libraries are listed in Table 25 (page 278) and Table 26 (page 278). Table 24 LDAP-UX Client Services components Component Description /etc/opt/ldapux/ldapux_client.
Table 24 LDAP-UX Client Services components (continued) Component Description /opt/ldapux/bin/ldapuglist Tools to display, add, modify and delete user and group entries in an LDAP directory server. For more information, see Section 9.3 (page 283). /opt/ldapux/bin/ldapugadd /opt/ldapux/bin/ldapugmod /opt/ldapux/bin/ldapugdel /opt/ldapux/bin/ldaphostmgr /opt/ldapux/bin/ldaphostlist /etc/opt/ldapux/ug_templates/ ug_passwd_std.tmpl /etc/opt/ldapux/ug_templates/ ug_group_std.
Table 24 LDAP-UX Client Services components (continued) Component Description /opt/ldapux/contrib/bin/beq Search tool that bypasses the name service switch and queries the backend directly based on the specified library. /opt/ldapux/contrib/bin/certutil Command-line tool that creates and modifies the cert8.db and key3.db database files. NOTE: For LDAP C SDK libraries information, see “Mozilla LDAP C SDK” (page 394).
get_profile_entry Downloads a profile from the directory to LDIF, and creates the profile cache. ldap_proxy_config Configures a proxy user. ldapcfinfo Displays LDAP-UX configuration and status by examining LDAP User and Group (UG) template files, the LDAP UG configuration file, or the LDAP-UX configuration profile. See Section 9.3.10 (page 348) or the ldapcfinfo manpage for detailed information about tool usage, syntax, options and arguments.
9.2.3.1 Syntax create_profile_schema 9.2.4 The display_profile_cache tool This tool, found in /opt/ldapux/config, displays information from a binary profile (cache) file. By default, it displays the currently active profile in /etc/opt/ldapux/ ldapux_profile.bin. 9.2.4.1 Syntax display_profile_cache [-i infile] [-o outfile] where infile is a binary profile file, /etc/opt/ldapux/ldapux_profile.bin by default, and outfile is the output file, stdout by default.
administrator proxy credential file /etc/opt/ldapux/acred. If you are using only anonymous access, you do not need to use this tool. You must run this tool logged in as root. While the data stored in the pcred and acred files are protected for root-only access and not stored in plain text, the data is not encrypted. The /etc/opt/ldapux/pcred file is used to contain credentials that represent all users of the HP-UX OS to the directory server.
-f file configures the proxy user from the specified file (file). The file specification must contain two lines: the first line must be the proxy user DN, and the second line must be the proxy user credential or password. CAUTION: After using this option you should delete or protect the file as it could be a security risk. -d DN sets the proxy user distinguished name to be DN. To use this option, the /etc/ opt/ldapux/pcred file must exist.
The following example configures the Admin Proxy user as uid=adminproxy2,ou=special users,o=hp.com with password admin2pw, and creates or updates the file /etc/opt/ldapux/ acred with this information. The Admin Proxy user uses the SASL/DIGEST-MD5 authentication and uses the DN to generate the DIGEST-MD5 hash. ldap_proxy_config -A -i uid=adminproxy2,ou=special users,o=hp.com admin2pw CR> The following example configures the Admin Proxy as uid=adminproxy3,ou=special users,o=hp.
ldapugdel Use the ldapugdel tool to remove POSIX related user or group entries from an LDAP directory server. Use the -O option to remove POSIX related attributes and object classes from a user or a group entry without removing entire entry itself. ldapcfinfo Use the ldapcfinfo tool to retrieve LDAP-UX configuration information details about required attributes when creating new users or groups.
NOTE: To support noninteractive use of the ldapuglist, ldapugadd, ldapugmod and ldapugdel commands, you can use the LDAP_BINDDN and LDAP_BINDCRED environment variables to specify the LDAP administrator's identity and password. Use LDAP_UGCRED to specify the user or group password being created or modified. To prevent exposure of these environment variables, you must disable them after use. The shells command history log may contain copies of the executed commands that show the setting of these variables.
Table 27 Common return codes (continued) MOD_LIMIT_REACHED There are too many modifications to perform. SSL_INIT_FAILED SSL initialization failed. LOAD_LIB_FAILED Failed to load the specific library. LOAD_FUNCTION_FAILED Failed to load the specific function. ACCESS_TEMPLATEFILE_FAILED Unable to access specified template file. READ_TEMPLATEFILE_FAILED Unable to read specified template file. MISSING_DIRECTIVE The specified template file is missing the required directive.
Table 27 Common return codes (continued) ADD_GR_MEMBER_FAILED MemberUid is mapped to only dynamic group attributes, the add operation fails. ENTRY_NOT_FOUND The LDAP search returns no entries. EXPLODE_DN_FAILED Cannot convert the specified distinguished name (DN) to its component parts. EXPLODE_RDN_FAILED Cannot convert the specified RDN to its component parts. MODIFY_FAILED The modification operation failed. 9.3.
In the following example, if the RFC 2307 attribute gecos has been mapped to the cn, l (location) and telephoneNumber attributes.
-ZZZ Requires a TLS connection to the LDAP directory server, even if the LDAP-UX configuration profile does not specify the use of TLS. Using the -ZZZ option requires that you define a valid directory server or CA certificate in the /etc/opt/ldapux/cert8.db file. An error will occur if the TLS connection can not be established. 9.3.4.3 Arguments The following describes command arguments: -t Specifies the type of entry the ldapuglist tool needs to discover and process.
ldapuglist -t passwd -f “(uidNumber=51552)” For the preceding example, the mapped attribute name is substituted in the search filter, and the resulting search filter used by LDAP-UX is as follows: (&(objectclass=posixAccount)(employeeNumber=51552)) The -f option also supports generation of search filters for the multi-mapped attributes, gecos and memberUid. In the case of gecos, each mapped attribute is used in the search filter using the LDAP and operation (&).
starts the search in an LDAP directory server. If unspecified, ldapuglist uses the defaultSearchBase as defined in the LDAP-UX configuration profile. -s This option overrides the search scope as defined in the LDAP-UX configuration profile. Specifies how deep in the directory tree to perform the search. The argument can be one of the following: • base: Search only the entry specified in the -b option. • one: Search only the immediate children of the entry specified in the -b option.
field2: value2 ... Each entry is preceded by a DN, followed by one or more field-value pairs. The DN and each field-value pair are on a separate line, separated by a carriage-return and line-feed character. The field and value are separated by a colon and a space character. Each entry is separated by a blank line.
gecos[cn]: Bill Hu gecos[l]: Building 6A gecos[telephoneNUmber]: +1-555-555-4321 9.3.4.5.2 NonPOSIX accounts and groups If you use ldapuglist with the -F option, ldapuglist displays users and groups that are not posixAccounts or posixGroups. Thus, these entries might not contain the required fields that store POSIX account and group information (such as the uidNumber attribute). When displaying these entries, the specified fields are missing from the output.
Table 28 Return codes for ldapuglist (continued) LST_ATTR_MAP_NULL One or more of the attributes specified in the search filter is not mapped or mapped to *NULL*, cannot create search filter. For example, ldapuglist -t passwd -f “(userpassword=userp)” The output of the preceding command displays the “LST_ATTR_MAP_NULL” error because the userpassword attribute is mapped to *NULL* in the LDAP-UX configuration profile.
./ldapuglist -t passwd -m -f "(uid=jscott)" The output is as follows. Assume that the gecos attribute has been mapped to cn, l, and telephoneNumber. With the -m option, the ldapuglist tool displays the mapped attribute names as well.
dn: cn=groupA,ou=groups,dc=example,dc=com cn: groupA Run the following commands to unset the LDAP_BINDDN and LDAP_BINDCRED environment variables. unset LDAP_BINDDN unset LDAP_BINDCRED 9.3.5 The ldapugadd tool You can use the ldapugadd tool to add new POSIX accounts and groups to an LDAP directory server (as noted by the first and second syntaxes in Section 9.3.5.2 (page 297)). You can use ldapugadd to modify the /etc/opt/ldapux/ldapug.
by the templates that are not part of the standard POSIX data model. For more information, see Section 9.3.5.6 (page 306) . 9.3.5.1 Syntax translation LDAP-UX supports syntax translation for the memberUid and gecos attributes. This translation enables storage of this information in a format more interoperable with other directory-enabled applications. The LDAP user and group tools enable creation and modification of these attributes in the LDAP-native syntaxes, even when specified using POSIX syntaxes.
-Z Requires an SSL connection to the LDAP directory server, even if the LDAP-UX configuration profile does not specify the use of SSL. Using the -Z option requires that you define either a valid LDAP directory server or CA certificate in the /etc/opt/ldapux/cert8.db file. An error occurs if the SSL connection cannot be established. -ZZ Attempts a TLS connection to the directory server, even if the LDAP-UX configuration profile does not specify the use of TLS.
group-related information. If you do not specify this argument, ldapugadd defaults to passwd. The command line arguments that are applicable depend on the service specified. 9.3.5.4.1 Arguments applicable to -D Use the ldapugadd -D command to change local host default values for the UG tool configuration parameters, uidNumber_range, gidNumber_range, user_gidnumber, default_homeDirectroy and default_loginShell, in /etc/opt/ldapux/ldapug.conf file.
-u Optional. Specifies the user’s numeric ID number. If the specified uidNumber value already exists in the directory server, ldapugadd does not add the new entry and returns an error status, unless you specify the -F option. If this argument is not specified, ldapugadd randomly selects a new user ID number from the uidNumber range specified by the ldapugadd -D -u command.
particular group, ldapugadd issues a warning message and continues to add the user to the remaining groups specified. If you do not specify this argument, ldapugadd does not add the user to alternate groups. -s Optional. Specifies the full path name to the executable that is used to handle login sessions for this user. If this argument is not specified, the default, as configured by the ldapugadd -D -s command, is used. -d Optional.
If you do not specify the -I option, ldapugadd does not add the attribute to the user entry. WARNING! If you specify the -I option and you have defined attribute mapping for the gecos attribute, be careful not to specify the same attributes in the command line that are also used in the gecos map. In the following example, if the gecos attribute has been mapped to cn, l, and telephoneNumber.
-x Optional. Specifies the user’s domain name. Use this option to specify the ${domain} value that can be used in the template file. If you do not specify this value, the domain name is created by using the first dc component of the new user’s distinguished name. If the distinguished name does not contain any dc components, and the ${domain} variable is specified in the template file, ldapugadd generates an error. -m Optional. Creates a new home directory for the defined user.
follow all command line options and must precede the = parameters if provided. This group name must conform to HP-UX group name requirements. For more information about group name requirements, see the group(4) manpage. -g Optional. Specifies the group ID number. If the specified gidNumber already exists in the directory server, ldapugadd does not add the new entry and return an error status, unless the -F option is specified.
-T Optional. Specifies the LDIF template file that is used to create new group entries. If you do not specify the -T option, ldapugadd uses the default template file either /etc/opt/ldapux/ug_templates/ ug_passwd_default.tmpl or /etc/opt/ldapux/ ug_templates/ug_group_default.tmpl depending on the service type you specify (-t passwd or -t group). The parameter can be either a full or relative path name or a short name. For more information, see Section 9.3.5.6 (page 306).
NOTE: You can not modify the ldapug.conf file directly. To change the local host default values defined in the /etc/opt/ldapux/ldapug.conf, you must use the ldapugadd -D command with applicable command options to alter them. For more information about this command option, see Section 9.3.5.4.1 (page 299). 9.3.5.6 Template files Template files define user and group entries that enable ldapugadd to discover the required data models for new user and group entries.
NOTE: The template file used by the guided installation (autosetup) differs from this one: its template file excludes ou=people from the first line because that subtree is directly registered in the configuration profile.
9.3.5.6.3 Defining template files Defined substitution constructs Each template file must follow the LDIF data format and also permit substitution of values from the ldapugadd command. Each template file can be built using custom RFC 2307–type attributes and values. Customized attribute values are defined using the ${} construct.
In addition, comments are allowed. Comments are on a separate line and the first character is the # (hash) character. Guidelines for template files Use the following guidelines when creating template files: • Use the first line of the template file to define the distinguished name (DN) of the new entry. Because each DN is unique, the first component of the DN (the relative distinguished name or RDN) must be able to construct a unique value for each new entry. Define the RDN using a ${} construct.
the requested subtree, along with creation of the required attributes in that entry must be granted to the LDAP administrator identity when executing ldapugadd. • As with any POSIX-type identity, the HP-UX operating system uses the specified user and group ID number to determine rights and capabilities in the OS and in the file system. For example, the root user ID 0, typically has unlimited OS administration and file access rights.
Table 29 Return codes for ldapugadd (continued) ADD_RENAME_FAILED Failed to rename the internal temporary file to /etc/opt/ ldapux/ldapug.conf. ADD_UPDATE_OK A specific operation has been updated successfully. For example, “uidnumber_range” defined in ldapug.conf has been updated successfully. ADD_K_IGNORED Option -m is not specified, therefore, -k ignored when adding a new account. ADD_TWO_DN_ERR DN has been specified more than once.
the user entry, ldapugadd attempts to add this user as a member of the group number 300. The uidNumber value is assigned dynamically from the preconfigured range. cd /opt/ldapux/bin ./ldapugadd -t passwd -PW -f "Adrian Lam" -g 300 alam surname="Lam" Run the following command to display the new user entry, alam: .
homeDirectory: /home/wang loginShell: /usr/bin/sh sn: Wang The following command adds a new group entry for the group name, groupA. In this example, ldapugadd creates the new group, groupA, and defines the initial group membership by adding the user account, mwang, as a member. ./ldapugadd -t group -M mwang groupA Use the following command to display the new group entry, groupA: .
[[-R ][...]] [-D |] [[=][...]] ldapugmod -t group [options] [-h ] [-p ] [-n new_name>] [-g ] [-a [,...]] [-r [,...]] [-c ] [[-A ][...]][[-R ][...]] [-D |] [[=][...]] 9.3.6.2 Options The ldapugmod tool supports the following command options: 314 -P Prompts for the administrator's bind identity (typically LDAP DN or Kerberos principal) and bind password.
in the RDN portion of the entry’s distinguished name. Changing the attribute and value that is used in the RDN requires changing the RDN. For example, an entry in the directory server is named “cn=Robert Smith,ou=IT,dc=example,dc=com”. If the cn attribute is changed to “cn=Bob Smith”, then the entry DN also needs to change to “cn=Bob Smith,ou=IT,dc=example,dc=com” Modification of an RDN is generally discouraged because the DN is often used as a unique way to identify the entry in the directory server.
-D The ldapugmod tool searches for the named user or group using the search rules defined by the service search descriptor in the LDAP-UX configuration profile. You can use the -D option to specify the exact distinguished name (DN) of the entry being modified. If you specify the -D option, you do not need to specify the or parameter. -A Specifies an attribute and value to be added to an entry.
ldapugmod -t passwd -n newuid olduid Is the same as: ldapugmod -t passwd olduid "uid=newuid" 9.3.6.3.1 Options applicable to -t passwd The following is a list of valid options for -t passwd: Required. Specifies the POSIX style login name of the user entry to modify. You must specify the parameter unless you specify the -D option. This user name must conform to HP-UX login name requirements. For more information about login name requirements, see the passwd(4) manpage.
specified already exists, the user’s current home directory does not exist or the user running ldapugmod does not have sufficient permissions to move the directory, ldapugmod returns an error. -I Replaces gecos fields for the user. If is an empty string, ldapugmod removes the gecos or mapped attributes.
information about impacts when using this option, see Section 9.3.6.4 (page 320). 9.3.6.3.2 Options applicable to -t group The following is a list of valid options for -t group: Required. Specifies the POSIX style textual group name for the group entry to modify. You must specify the group name if you do not specify the -D option. This group name must conform to HP-UX group name requirements. For more information about group name requirements, see the group(4)manpage.
Instead, use the -R option to remove arbitrary attributes. For information about impacts when using this option, see Section 9.3.6.4 (page 320). 9.3.6.4 Warnings Under common usage, ldapugmod uses the LDAP replace operation when changing values of an attribute in an entry. This feature might impact attributes that have multiple values, by removing all occurrences of an attribute value and replacing it with the one specified on the ldapugmod command line.
Perform the following ldapugmod command for the user entry, mlee: ./ldapugmod -t passwd -c "Mackey user entry" mlee This command replaces all instances of description with the single comment, Mackey user entry.
cn: Joesh Scott uid: jscott uidNumber: 2500 gidNumber: 120 homeDirectory: /home/jscott loginShell: /usr/bin/ksh gecos: John Scott,San Jose,+1 555-555-5555 9.3.6.5 Specific return codes for ldapugmod The ldapugmod tool returns a list of return codes shown in Table 30. Table 30 Return codes for ldapugmod Return Code Message MOD_CANNOT_GET_USER_HOMEDIR Cannot discover user's home directory information. MOD_COMMANDLINE_ERR Members need to be specified for the specified option.
• With any POSIX-type identity, the user and group ID numbers are used by the HP-UX operating system to determine rights and capabilities in the OS and in the file system. For example, a root user ID 0 has unlimited OS administration and file access rights. Before modifying an entry, you must be aware of the selected user and group ID number and any policy that may be associated with that ID.
./ldapugmod -t group -r atam GroupB The following command replaces all instances of the description attribute with value “Group C Entry” for the group entry, GroupC: ./ldapugmod -t group GroupC "description=Group C Entry" 9.3.7 The ldapugdel tool Use the ldapugdel tool to remove POSIX-related user or group entries from an LDAP directory server.
attributes from a group entry. Because use of -x removes common attributes typically used by other LDAP-enabled applications, HP rarely recommends you to use the -x option when removing posixAccount or posixGroup related attributes. If removal of the uid, cn, or description causes an object class violation, ldapugdel generates a warning message. With the -x option, LDAP-UX tries to remove as many attributes as allowed by the directory server. -y Uses this option only with the -O and -t passwd options.
Specifies the name of the user entry that you want to delete. ldapugdel uses the configured LDAP search filter to discover the entry to be removed, such as (&(objectclass=posixAccount)(uid=name)). If more than one entry matches this search filter, only the first discovered entry is removed. You may specify only one of -D, or parameter on the command line. Specifies the name of the group entry that you want to delete.
NOTE: Keep the following considerations in mind when using the -O option: • The ldapugdel tool does not support attribute mappings. For example, if the uidNumber attribute has been mapped to the employeeNumber attribute, ldapugdel will attempt to remove uidNumber attribute and not employeeNumber.
Table 31 Return codes for ldapugdel Return Codes Message DEL_COMMANDLINE_ERR Invalid POSIX attributes. DEL_MULTIPLE_ENTRY_FOUND Multiple entries found that match the same name. Please use a DN to specify a specific entry. DEL_DELETE_FAILED The LDAP deletion operation failed. DEL_SEARCH_FAILED The LDAP search for subSchemaSubEntry, attributeTypes or objectClasses failed. DEL_PARSE_ERROR Unable to analyze LDAP directory server’s schema.
Run the following command to delete the entire user account entry, astein, on the LDAP directory server, ldapsrvA. The -h option overrides the server list defined by the LDAP-UX configuration profile. ./ldapugdel -t passwd -h ldapsrvA:389 astein Run the following command to delete the entire user account entry, msmart: ./ldapugdel -t passwd msmart Run the following command to delete the entire group entry with the distinguished name, “cn=group1,ou=groups,dc=example,dc=com": .
9.3.8.2 Options and arguments The ldaphostmgr tool supports the following options and arguments: -a Adds a new host to the directory server. The host is added to the base specified by the host service search descriptor in the LDAP-UX configuration profile entry (unless the -D option is used to specify the fully qualified DN). When an entry is created, the device and ipHost object classes are used. Optionally, additional object classes can be used to describe the host entry.
account, such that a remote login to that host can be performed using that identity. Specifying -I on a remote host will fail if LDAP-UX (version > B.05.00) is not installed on that host. -X Does not prompt for information, including the host’s password or other interactive confirmation prompts. If required information cannot be discovered, the command exits with an error. The -F option can be used to force an override for most confirmation prompts.
-a and -m operations. If host_name is already fully qualified (contains a domain), then the -f option has no effect. Only a host_name is added to the entry. ldaphostmgr uses the /etc/resolv.conf file to determine the domain. If the -D option is specified, the value of the RDN (relative distinguished name) is used to determine the host_name. -S Displays the DN of the created, modified, or deleted host entry, at the end of the output.
because the owner attribute may be used to grant access control rights for the defined administrators. To replace an owner of the host, you may specify the -O option twice to remove the existing user and add a new one. For example: ldaphostmgr -O !user:olduser -O user:newuser hostname If the user is adding a new host entry (-a option) and if the -O option is not specified, the owner attribute is assigned the DN of the current user (as authenticated by ldaphostmgr).
confirmation before changing an existing key on the host, unless the -X option is specified (in which case, the key is not changed unless -F is also specified.) If you specify the ! option, the specified keys are removed from the host entry in the directory server. The actual keys on the host are not removed. If you specify the ? option, the keys on the host are validated against those found in the representative directory entry for the specified host.
keys of the host found in the directory server match that specified in the /etc/opt/ssh/*.pub files. Note that if a -k option is specified and the host being managed is remote, a remote login to that host is required and performed by ldaphostmgr to modify the remote keys. This means that when the LDAP credentials are specified (through the prompt or LDAP_BINDDN), they must also represent a POSIX account, such that a remote login to that host can be performed by ldaphostmgr using that identity.
On ADS, this attribute does not exist by default and would require modifying the ADS schema to add this attribute type. Refer to the ldapschema(1M) manpage and the /etc/opt/ldapux/schema/ ldapux50.xml file provided. -x domain Short, conventional, name of the domain. This option pecifie the value for the entityDomain attribute. Only one domain may be specified. If ! alone is specified, or is specified at the beginning of the domain, the domain is removed.
In this example, the password value will be: Rfxw-"92 -D DN, or host_name Specifies the host DN or POSIX host name for which to apply the operation. Specifying either -D DN, or host_name is required, even if the intent is to manage data for the local host. Specify the host's true full or short name when using host_name. Do not specifylocalhost when attempting to modify the local host.
established, remaining directory servers on the host list are not contacted. Once connected, ldaphostmgr first determines if the environment variables LDAP_BINDDN or LDAP_BINDCRED were specified. If both are specified, then ldaphostmgr attempts to bind to the directory server using the specified credentials and configured LDAP-UX authentication method.
command line. For example, if the -c argument is used to specify a new description for a host, all occurances of the description attribute are replaced by the value specified for the -c argument. This mode of operation applies to the -I command argument as well. When the attr=value parameter is used to modify an existing attribute, the ldaphostmgr command also uses the LDAP replace operation.
management tools, see Section 9.3.3 (page 285). In addition, see specific return codes for each of the tools that manage users and groups. 9.3.8.8 External Influences 9.3.8.8.1 Environment Variables The ladpahostmgr tool supports the following environment variables: LDAP_HOSTCRED When used in combination with the -PW option, LDAP_HOSTCRED specifies the proxy password of the newly created host.
The ldaphostlist tool provides the following functions: • Uses the existing LDAP-UX configuration, requiring only a minimal number of command-line options to discover where to search for host information, such as what directory servers to contact and proper search filters for finding accounts and groups. Provides command options to let you change these configuration parameters. • Uses the existing LDAP-UX authentication configuration to determine how to bind to the LDAP directory server.
When the -L option is specified, the -m option is ignored, and the attr parameter list is invalid. -P Prompts for the user’s bind DN and password. Without -P, ldaphostlist attempts to bind to the directory server using the environment variables LDAP_BINDDN and LDAP_BINDCRED. Or if those were not specified, the bind will be anonymous or as the LDAP-UX proxy user, if configured. -Z Requires an SSL connection to the directory server, even if the LDAP-UX configuration does not require the use of SSL.
-n hostname Provides a simplified method for discovering a single host. Use of -n is the same as -f “(cn=name)”. If -n is used, the -g, -F and -f options cannot be specified on the command line. -g groupname Limits the hosts returned to those that are also members of the specified group.
And assume the LDAP-UX product has been configured as follows: • The configuration profile defines the search filter for the host service as “(objectclass=ipHost)”. • The cn attribute for the host service has been mapped to the hostName attribute. Then the actual search filter used by ldaphostlist would be: (&(objectclass=ipHost)(hostName=myhost)) Notes: -F filter • When -f is used and any of the attributes specified in the search filter have been mapped to “*NULL*”, ldaphostlist returns an error.
expire within keyage days. Host entries might not have key age or expiration information defined in the directory server, and therefore this keyage option will apply to only those host entries that do. Please see the ldaphostmgr command and the -k and -e options for additional information about key ages and expiration.
changes to two colons and a space character. See “Unencodable Characters” in Section 9.3.9.3 (page 345). By default the following fields are returned: cn ipAddress Note that when the -m option is specified, the output format changes to the following: dn: dn1 field1[attribute1]: value1 field2[attribute2]: value2 field3[attribute3]:: base64-encodeded-value3 … 9.3.9.
configured credential type is “proxy” and, if so, attempts to bind to the directory server using the configured LDAP-UX proxy credential. If configured, the acred proxy credential is used for administrative users (determined if the user running ldaphostlist has enough privilege to read the /etc/opt/ldapux/acred file). Otherwise, the credential configured in /etc/opt/ldapux/ pcred is used. If the proxy credential is not configured and the -P option has not been specified, ldaphostlist connects anonymously.
9.3.9.8 Security Considerations To support noninteractive use of the ldaphostlist command, specification of the LDAP user’s credentials might be required. In noninteractive mode, these credentials are specified in the LDAP_BINDDN and LDAP_BINDCRED environment variables. To prevent exposure of these environment variables, they should be unset after use. Note that the shells command history log might contain copies of the executed commands that show setting of these variables.
9.3.10.2 Options NOTE: Because each of the -a, -D, -A, -P, -R, -L, -b, -f, -h and -m options described in this section generates arbitrary output formats, you may only use one of these options per invocation of the ldapcfinfo command. Using multiples of these options in a single command line might prevent you from distinguishing outputs applied to a specific option, and will result in an error. The -T option is ignored unless the -R option is specified.
ug_passwd_default.tmpl. With -t group, the default template file is /etc/opt/ldapux/ug_templates/ ug_group_default.tmpl. For detailed information about template file, see Section 9.3.5.6 (page 306). -L Displays the list of available template files for the service specified with the -t option. The ldapcfinfo tool displays the full path name of the template files, each on a separate line. -D Displays the LDAP default configuration values in the /etc/opt/ ldapux/ldapug.
Table 32 Return codes for ldapcfinfo Return Code Message CFI_COMMANDLINE_ERR Unknown option. CFI_COMMANDLINE_ERR Missing argument for the specified command option. CFI_COMMANDLINE_ERR Only one of the -D, -A, -b, -f, -h, -m, s, a, -P, -L or -R options may be specified per invocation. CFI_COMMANDLINE_ERR Specified attribute name (-m) missing or invalid. CFI_COMMANDLINE_ERR Too many attributes specified with the -m option. CFI_COMMANDLINE_ERR Unable to validate the specified template file.
Table 32 Return codes for ldapcfinfo (continued) CFI_UGCONF_INVALID Invalid configuration file. Missing required configuration parameters. CFI_CONFIG_SUCCESS The specified service appears properly configured for LDAP-UX operation. CFI_CONFIG_FAILURE The specified service not configured for LDAP-UX support. 9.3.10.4 Examples This section provides examples of using the ldapcfinfo tool: The following command verifies that the LDAP-UX is properly configured for the passwd service: cd /opt/ldapux/bin .
The following command displays the nonPOSIX attributes defined in the default template file, /etc/ opt/ldapux/ug_templates/ug_passwd_std.tmpl, required by the ldapugadd command for the passwd name service: ./ldapcfinfo -t passwd -R The output of the command is as follows: surname The following command displays the list of available template files for the passwd name service: ./ldapcfinfo -t passwd -L Assume that /etc/opt/ldapux/ug_templates/ug_passwd_std.
9.4.1 The ldapentry tool The ldapentry tool is a script tool that simplifies the task of adding, modifying and deleting entries in a directory server. It supports the following name services: passwd, group, hosts, rpc, services, networks, and protocols. ldapentry accepts run-time options either on the command line, or via environment variables, which can be defined locally, in the configuration profile or are read in from the configuration profile.
-f Forces command execution with warning override. -v Displays verbose information. -b Specifies the DN of the search/insert base which defines where ldapentry starts the search/insert for the entry. This option is optional if the LDAP_BASED variable is set. If specified, this option overwrites the LDAP_BASEDN variable setting. -h Specifies the host name of the LDAP directory. If not specified, ldapentry uses the local host. -p Specifies the TCP port number that the LDAP directory uses.
NOTE: Although the ldapentry tool will allow the users to modify any information on the EDITOR window, the directory server has the final decision on accepting the modification. If the user makes an invalid LDIF syntax, violates the directory's schema or does not have the privilege to perform the modification, the ldapentry tool will report the error after the EDITOR window is closed when it tries to update the directory server with the information.
Specifies a series of command-line options. These must be specified before the search filter, if used. optional_options optional_list_of_attributes are spaces-separaed attributes that reduct the scope of the attributes returned in the search results. This list of attributes must appear after the search filter. For more information , see the HP-UX Directory Server administrator guide. 9.4.3.2 ldapsearch options This section lists the most commonly used ldapsearch command-line options.
9.4.4.2 ldapmodify options This section lists the most commonly used.ldapmodify options. For more information, see the HP-UX Directory Server configuration, command, and file reference. -a Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. -B Specifies the suffix under which the new entries will be added.
9.5 Schema extension utility 9.5.1 Overview A directory schema is a collection of attribute type definitions, object class definitions and other information supported by a directory server. Schema controls the type of data that can be stored in a directory server. Although there are some recommended schemas that came originally from the X.500 standards, mostly for representing individuals and organizations, there is no universal schema standard in place for every possible application.
For this release of LDAP-UX Client Services, the setup tool has not been integrated with ldapschema. You will continue to use the setup tool to extend the directory server schema with printer, public key and automount schemas. For Windows Active Directory Server, you will continue to run the setup tool to extend the directory server with the automount schema. 9.5.2.
To support Windows ADS, LDAP-UX provides the predefined LDAP directory server definition file, /etc/opt/ldapux/schema/schema-ads.xml, which contains a list of schema syntaxes that Windows Active Directory Server supports.
Table 33 Supported directory servers Type of directory server ds_type HP-UX Directory Server hpds Windows Active Directory Server ads Red Hat Directory Server rhds The ldapschema utility might work with other types of LDAPv3 directory servers, although its behavior has not been verified.
“versionLessThan” are not used in the XML files being processed (the schema definition files, the LDAP directory server definition file, and the mapping rules file). If the XML files include any definitions with “versionGreaterOrEqual” attribute set, strcasecmp() must return zero or a positive integer to include directory-specific information in the LDAP schema definition.
9.5.3.2 Security For security reasons, the LDAP administrator's password may not be specified on the command line. It may be specified at the prompt (-w - option), in a file (-j option), or using the LDAP_BINDCRED environmental variable described in Section 9.5.3.3 (page 364). 9.5.3.
used in the /etc/opt/ldapux/schema/sample.xml and /etc/opt/ldapux/schema/ map-rules.xml files. 9.5.4 Schema definition file The ldapschema utility queries and extends LDAP directory server based on the XML schema definition file. When using the ldapschema tool, the schema argument used with the -q or -e option must correspond to the XML file containing the appropriate schema definition. Several predefined files (such as rfc3712.xml, rfc2256.xml, etc...) are stored in the /etc/ opt/ldapux/schema directory.
Line Line Line Line Line Line Line Line inee LINe Line Line Line Line Line Line Line Line 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: printer-aliases Names in addition to the printer-name caseIgnoreMatch caseIgnoreSubstringsMatch 1.3.6.1.4.1.1466.115.121.1.15 127 1.3.18.0.2.6.
1.3.6.4.1.1466.0 64 At most one syntax length value may be specified. must contain a positive integer value. Optional, use if the SINGLE-VALUE flag is set. At most one singleValued flag may be specified. Optional, use if the COLLECTIVE-VALUE flag is set. At most one collective flag may be specified. Optional, use if NO-USER-MODIFICATION flag is set. At most one noUserModification flag may be specified.
9.5.4.4 Defining object classes Each object class definition, enclosed by the tags, can contain the following case-sensitive tags, in the order specified: Required. Exactly one numeric id must be specified. The value must adhere to RFC 2252 format specification. Required. At least one object class name must be specified. Do not use quotes around the name values. The value must adhere to RFC 2252 format specification. Optional.
9.5.4.5 Object class definition requirements To add the new schema to the LDAP directory server, each object class definition must meet the following requirements: • The object class definition contains a tag with one numeric id value which adheres to RFC 2252 format specification. • The object class definition has at least one tag with the object class name. Each name must adhere to RFC 2252 format specification.
Line Line Line Line LINE LINE Line Line Line Line Line Line Line Line Line Line Line Line Line 1: 2: 1.23.456.7.89101112.1.314.1.51.6 3: sampleAttribute 4: 5: versionGreaterOrEqual="2003">my-sample-attribute 6: caseIgnoreMatch 7: 1.3.6.1.4.1.1466.115.121.1.15 8: PAGE 371Line 8: Line 9 Line 10: TRUE
For the preceding example, on Windows Active Directory Server, this object class has a mandatory attribute type, serverRole, and an optional attribute type, sampleAttribute. On all other types of directory servers, this object class has a mandatory attribute type, userPassword and an optional attribute, sampleAttribute.
9.5.6.1 Example of the directory server definition file The following example defines two syntaxes with values of 2.5.5.1 and 2.5.5.2 supported on Windows ADS: Line Line Line LINE LINE Line Line Line LINe Line Line Line Line Line LINe Line Line Line LINE Line 1: 2:
9.5.7 Mapping unsupported matching rules and LDAP syntaxes If matching rules and LDAP syntaxes used in attribute type definitions in the schema definition file are not supported on the LDAP directory server, the ldapschema tool maps them to alternate matching rules and syntaxes the LDAP server supports. LDAP-UX provides the /etc/opt/ldapux/ schema/map-rules.xml file which defines a list of default substitution matching rules and syntaxes, and alternate matching rules and syntaxes.
2.5.5.5 Active Directory IA5 String LDAP Syntax. 22 1.3.6.1.4.1.1466.115.121.1.15 Directory String syntax.
9.5.8.1 Schema status messages SCHEMA_NEW The file contains attribute types and object classes that are not defined in the LDAP directory server schema. [The SCHEMA_NEW message indicates all attribute types and object classes defined in the file are new to the LDAP directory server. The SCHEMA_NEW message indicates none of the specified definitions are currently installed in the LDAP server schema.
of the schema on the LDAP directory server. Only attribute types and object classes with new and unique numeric oids and names can be added to the LDAP server schema. For more information, see the messages containing ATTRIB_FOUND (Section 9.5.8.2 (page 377)) and OBJECT_FOUND (Section 9.5.8.3 (page 380)). Since the definitions specified in the file are already installed in the LDAP server schema, the ldapschema utility will make no changes to the LDAP directory server schema.
See the descriptions of the ATTRIB_MISMATCH and OBJECT_MISMATCH messages for the exact instances of attribute types and object classes, respectively, causing the schema mismatch. The mismatch is caused by any differences in element definitions, such as equality matching rule, single-valued setting, attribute syntax, object class type, attribute types an object class includes, etc.
can be separated by a period (.). Leading zeroes are not allowed. For more information, see RFC 2252. This message indicates the tag and its value need to be corrected in the definition in the file. The value must be compliant with RFC 2252. For more information, see RFC 2252. ATTRIB_INVALID Attribute type “” has an invalid name. Edit the schema definition file to specify an RFC 2252 compliant value for this attribute type.
either in the LDAP directory server schema or in the file before this attribute type can be installed.] ATTRIB_UNRESOLVED Matching Rule " " used in the attribute type definition cannot be mapped because "-m -" option is specified. This matching rule is not supported on the LDAP server.
ATTRIB_REJECTED attribute type “” is not added to the LDAP server schema because it is already part of the LDAP schema. [This message indicates the LDAP directory server schema already includes a definition of an attribute type definition with the same numeric oid or name.] ATTRIB_REJECTED attribute type “” is not added to the LDAP server schema because its definition is invalid. [This message indicates definition of the specified attribute type is invalid.
OBJECT_UNRESOLVED Mandatory attribute used in the
RULE_INVALID Matching rule is missing a name. Edit the schema definition file to specify at least one tag and its value for every definition. [This message indicates the tag and its value need to be specified in the definition in the /etc/opt/ldapux/schema/schema-ds_type.xml file, where ds_type corresponds to the same value specified with the -T option on the command line when executing the ldapschema utility.
SYNTAX_UNRESOLVED LDAP syntax "” used in the “” attribute type definition is not supported on the LDAP server. LDAP syntax “” will be used instead [This message indicates the specified syntax is not supported on the LDAP directory server. However, it was successfully mapped with a higher level (more inclusive) syntax supported by that server, , as specified in the /etc/ opt/ldapux/schema/map-rules.xml file.
shell script gets information from the appropriate source files, such as /etc/passwd, /etc/group, /etc/hosts, and so forth. The migrate_all_nis_online.sh script gets information from your NIS maps using the ypcat command (for more information about this command, see the ypcat(1) manpage). The scripts take no parameters but prompt you for needed information. They also prompt you for whether to leave the output as LDIF or to add the entries to your directory.
Table 37 Scripts for migrating individual files (continued) Script Name Description and notes migrate_netgroup.pl Migrates netgroups in /etc/netgroup Netgroup - In LDAP-UX, netgroups are stored using the traditional netgroup-triple syntax. In contrast with NIS,byuser and byhost optimization maps are not used - Each triple is stored as a single string - Each triple must be enclosed by parentheses; for example, (machine, user, domain) is a valid triple while machine, user, domain is not migrate_passwd.
objectclass: posixAccount objectclass: account userPassword: {crypt}daCXgaxahRNkg loginShell: /bin/ksh uidNumber: 20 gidNumber: 20 homeDirectory: /home/jbloggs gecos: Joe Bloggs,42U-C3,555-1212 The following commands convert /etc/group into LDIF and place the result in /tmp/group.ldif: $ export LDAP_BASEDN="o=hp.com" $ migrate_group.pl /etc/group /tmp/group.ldif dn: cn=mira.hp.com,ou=Groups,o=hp.com objectclass: posixGroup objectclass: top cn: mira cn: mira.hp.
shd Shadow Password srv Service prt Protocol rpc RPC hst Host net Network ngp Netgroup grm Group Membership 9.7.1.2 Examples 1. The following is an example beq command using iuser1 (user name) as the search key, pwd (password) as the service, and ldap as the library in 32-bit mode on an HP-UX 11i v2 or v3 PA-RISC machine: ./beq -k n -s pwd -l /usr/lib/libnss_ldap.1 iuser1 nss_status .............. NSS_SUCCESS pw_name...........(iuser1) pw_passwd.........(*) pw_uid............(101) pw_gid...
Use the following beq command if you are running 32-bit applications on an HP-UX 11i v2 or v3 Integrity server machine: ./beq -k n -s pwd -l /usr/lib/hpux32/libnss_files.so.1 adm 3. The following is an example beq command using UID number 102 as the search key, pwd (password) as the service, and ldap as the library in 32-bit mode on an HP-UX 11i v2 or v3 PA-RISC machine: ./beq -k d -s pwd -l /usr/lib/libnss_ldap.1 102 nss_status .............. NSS_SUCCESS pw_name...........(user2) pw_passwd.........
pw_age............() gr_mem (iuser1) Use the following beq command if you are running 64-bit applications on an HP-UX 11i v2 or v3 Integrity server machine: ./beq -k d -s grp -l /usr/lib/hpux64/libnss_ldap.so.l 22 Use the following beq command if you are running 32-bit applications on an HP-UX 11i v2 or v3 Integrity server machine: ./beq -k d -s grp -l /usr/lib/hpux32/libnss_ldap.so.l 22 9.7.
The following command gets the uidnumber attribute information for the passwd service: ./get_attr_map.
10 User tasks This chapter describes user management tasks. 10.1 Modifying passwords With LDAP-UX Client Services, users change their password with the passwd command. Depending on the PAM configuration and the location of the user's information (in the directory or in /etc/ passwd), users might be prompted for their password twice as PAM looks in the configured locations for the user's information.
Figure 19 Changing passwords on master server with ldappasswd Updates Master LDAP Directory Server Replica LDAP Directory Server passwd(1) can modify master LDAP server LDAP-UX Clients 1-50 ldappasswd(1) can modify the master LDAP server LDAP-UX Clients 51-100 For more information about the ldappasswd command, see Section 9.4.2 (page 356). Figure 20 Sample passwd command wrapper #!/usr/bin/ksh # # You can put a default master LDAP server host name # here. Otherwise the local host is the default.
granting access control rights. For HP-UX Directory Server, you can review the default self-write rights granted to users in Section 2.3.2.3.2 (page 38). However, before you grant additional rights, be aware of the security impact. For example, if you allow a user to modify his own entityRole attribute, and that attribute is used to define access rights, then you may be inadvertently granting access rights to other users..
11 Mozilla LDAP C SDK This chapter describes the Mozilla LDAP SDK for C and the SDK file components. 11.1 Overview The LDAP-UX Client Services provides Mozilla LDAP C SDK 6.0.5 support. The LDAP C SDK is a Software Development Kit that contains a set of LDAP Application Programming Interfaces (API) to enable you to build LDAP-enabled clients. Mozilla LDAP C SDK 6.0.5 supports IPv6 addressing. The functionality implemented in the SDK closely follows the interface outlined in RFC 2251.
Table 38 Mozilla LDAP C SDK file components on the PA-RISC machine (continued) Files Description /usr/include/* Include files from LDAP C SDK /opt/ldapux/contrib/bin/certutil Unsupported command tool that creates and modifies the certificate database files, cert8.db and key3.db /opt/ldapux/contrib/ldapsdk/examples Unsupported LDAP C SDK examples /opt/ldapux/contrib/ldapsdk/source.tar.
Table 39 Mozilla LDAP C SDK file components on an Integrity server machine Files Description /usr/lib/hpux32/libldap.so (32-bit ) Main LDAP C SDK API libraries /usr/lib/hpux64/libldap.so (64-bit ) /opt/ldapux/lib/hpux32/libfreebl3.so (32–bit) LDAP C SDK dependency libraries /opt/ldapux/lib/hpux32/libnspr4.so (32-bit ) /opt/ldapux/lib/hpux32/libnss3.so (32-bit ) /opt/ldapux/lib/hpux32/libplc4.so (32-bit ) /opt/ldapux/lib/hpux32/libsoftokn3.so (32-bit ) /opt/ldapux/lib/hpux32/libssl3.
Table 40 (page 397) shows header files that support the LDAP libraries existing under /usr/ include, except where noted: Table 40 Mozilla LDAP C SDK API header files Header Files Description /usr/include/ldap.h Main LDAP functions, structures and defines. /usr/include/ldap-extension.h Support for LDAP v3 extended operations, controls and other server specific features. This file must be included in source code that uses LDAP v3 extended operations or controls. /usr/include/ldap_ssl.
NOTE: No header files are provided for the legacy LDAP SDK because new applications should be built using the new LDAP SDK 6.0.5. Support for the legacy LDAP SDK will end with a future version of LDAP-UX. The legacy version of the LDAP C SDK does not support IPv6 addressing. If your application needs to support IPv6, be sure to use LDAP C SDK 6.0.5.
12 Support and other resources 12.1 Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
This feature is not supported when using LDAP-UX Client Services with Windows ADS. • Local-only profile support The centrally managed LDAP-UX configuration profile uses a schema defined by RFC 4876. For environments where modification of the directory server schema is not allowed and new schema cannot be installed, the local-only profile enables LDAP-UX to manage configuration on the local hosts instead of the directory server.
For detailed information about tool usage, syntax, options, environment variables and return codes supported by these tools, see “Command and tool reference” (page 276) and the ldaphostmgr(1M) and ldaphostlist(1M) manpages. • PAM_LDAP ignore option If PAM_LDAP is configured to be the first service module in the /etc/pam.
http:// www.hp.com A website address that is a hyperlink to the site. Emphasis Text that is emphasized. Bold Text that is strongly emphasized. The defined use of an important word or phrase. Command Command name or qualified command phrase. user input Commands and other text that you type. computer output Text displayed by the computer. Name of a daemon, parameter, or parameter option. variable The name of an environment variable, for example PATH or errno.
A Configuration worksheet The following sections include worksheets with explanations and examples for configuring LDAP-UX with HP directory servers (Section A.1 (page 403)) and with Windows ADS (Section A.2 (page 404)). A.1 HP directory server LDAP-UX configuration To help you configure LDAP-UX Client Services with an HP directory server, use the worksheet shown in Table 41. For explanations and examples, see Table 42.
Table 42 LDAP-UX Client Services configuration worksheet explanation (HP directory server environment) (continued) Source of user, group data: Where you get your user and group data from to migrate into the directory. Example: /etc/passwd and /etc/group on sys001 Migration method: How you will migrate your user and group data into the directory, for example, using the migration scripts. Example: migrate_all_online.sh edited to remove all but migrate_passwd.pl, migrate_group.pl, and migrate_base.pl A.
Table 44 LDAP-UX Client Services configuration worksheet explanation (Windows ADS) (continued) LDAP-UX Client Services Configuration Worksheet Proxy user DN: The DN of the proxy user, if needed. Example: CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com Source of user, group data: Where you get your user and group data from to migrate into the directory. Migration method: How you will migrate your user and group data into the directory, for example, using the migration scripts.
B LDAP-UX Client Services object classes This appendix describes the object classes LDAP-UX Client Services uses for configuration profiles. In release B.02.00, LDAP-UX Client Services used two object classes for configuration profiles: • PosixDUAProfile • PosixNamingProfile With release B.03.00, the PosixDUAProfile and PosixNamingProfile object classes have been replaced by a single STRUCTURAL object class DUAConfigProfile. In addition, four new attributes are added (see Section B.1 (page 406)).
entry consists of: Service:Attribute=Altattribute, where Service is one of the supported services: Server type Supported services Both HP directory server and Windows ADS (in a single Windows domain1) passwd group automount rpc networks hosts protocols services printers HP directory servers only netgroup publickey PAM 1 LDAP-UX Client Services using Windows 2003 R2/2008 Active Directory Server in multiple domains only supports the passwd and group service data.
defaultServerList is a list of one or more host IP addresses and optional port numbers where directory servers are running. Each host is searched in the order given. The LDAP-UX client searches the servers until it finds one that responds. The defaultServerList attribute is used only if the preferredServerList attribute has no value, or if none of the specified servers in preferredServerList responds the client request.
The following are the four new attributes that have been added to the new object class DUAConfigProfile with release B.03.00: • objectclassMap • defaultsearchScope • serviceCredentialLevel • serviceAuthenticationMethod B.
C Samples of LDAP-UX configuration files created or modified by autosetup The sections in this appendix provide samples of the configuration files modified or created by the autosetup program: • Section C.1: NSS configuration file /etc/nsswitch.conf • Section C.2: PAM configuration file /etc/pam.conf • Section C.3: Startup configuration file /etc/opt/ldapux/ldapux_client.conf • Section C.4: Client daemon configuration file /etc/opt/ldapux/ldapux_client.
pam.conf file, the PAM_LDAP library object /usr/lib/security/libpam_ldap.so.1 after the line that defines the PAM_UNIX module libpam_unix.so.1. The following example shows the /etc/pam.conf file after it has been modified by autosetup.
sshd account sshd account sshd account OTHER account OTHER account OTHER account # # Session management # login session login session login session dtlogin session dtlogin session dtlogin session ftp session required sufficient required required sufficient required libpam_hpsec.so.1 libpam_unix.so.1 libpam_ldap.so.1 libpam_hpsec.so.1 libpam_unix.so.1 libpam_ldap.so.
# # Also note that the use of pam_hpsec(5) is mandatory for some of # the services. See pam_hpsec(5). # # Authentication management # login auth required libpam_hpsec.so.1 login auth sufficient libpam_krb5.so.1 login auth required libpam_unix.so.1 try_first_pass su auth sufficient libpam_krb5.so.1 su auth required libpam_unix.so.1 try_first_pass dtlogin auth required libpam_hpsec.so.1 dtlogin auth sufficient libpam_krb5.so.1 dtlogin auth required libpam_unix.so.
rcomds session rcomds session rcomds session sshd session sshd session sshd session OTHER session OTHER session # # Password management # login password login password login password passwd password passwd password passwd password dtlogin password dtlogin password dtlogin password sshd password sshd password sshd password OTHER password OTHER password required sufficient required required sufficient required sufficient required libpam_hpsec.so.1 bypass_limit_login libpam_krb5.so.1 libpam_unix.so.
# options to log_facility: LOG_USER, LOG_MAIL, LOG_DAEMON, LOG_AUTH, # LOG_SYSLOG, LOG_LOCAL0, LOG_LOCAL1, # LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, # LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 # # options to log_level: LOG_DEBUG, LOG_INFO #log_facility=LOG_LOCAL0 #log_level=LOG_INFO # # # You can disable specific users so that they are unable to log in # through the LDAP server by uncommenting the "disable_uid_range" # flag and adding the UID numbers you want to disable.
# Setting enable_startTLS to 1 does not alone configure TLS session # encryption. It merely specifies that TLS should be used instead of # SSL when encryption/validation is required. Just as with SSL, # in order to fully enable TLS, the /etc/opt/ldapux/cert8.db must # contain a CA or LDAP server certificate and TLS/SSL must be enabled in # the LDAP-UX configuration profile (created by the /opt/ldapux/config/setup # tool).
# $ # # Service: # # $ # #The name service that LDAP-UX Client Services supports is "NSS". #For example: # # Service:NSS # # More than one 'host:port' can be included in this field, # # delimited by ' '. For example: # LDAP_HOSTPORT="abc.efg.hp.com def.anywhere.com" # # The configuration profile entry name in the Directory Server.
# Maximum number of connections ldapclientd can establish to # the directory server (or multiple servers when in a multi-domain # environment). # max_conn=100 # # Time between an inactive connection to the directory server is # brought down and cleaned up. # connection_ttl=300 # # Number of threads in ldapclientd. # num_threads=10 # # Time to clean up socket files created by client applications that # were terminated abnormally.
[domain_grp] enable=yes [automount] enable=yes [automountmap] enable=yes [dynamic_group] # "dynamic_group" has its own default cache_size, poscache_ttl and negcache_ttl. cache_size=10000000 enable=yes poscache_ttl=43200 negcache_ttl=43200 [longterm_cache] # Should long term cache enabled ? # enable=no # How long before data is considered stale and not usabled. 1,209600 = 2 weeks. # longterm_expired_interval=1209600 # How frequently should save long term data to permanemt storage. 900 = 15 minutes.
D Sample PAM configuration (pam.conf) files This appendix provides information about configuring PAM configuration files and includes several sample PAM configuration files used on an HP-UX 11i v2 (or later) system. Sample files are included for both LDAP directory server and Windows ADS environments. These files are intended as examples only. The PAM configuration file /etc/pam.conf is the primary configuration file for the PAM architecture.
IMPORTANT: Before modifying your pam.conf file, keep a backup of the original pam.conf file that includes the simplified authentication model. In this way, you can resort to the backup if your modified file causes problems. For example, you might inadvertently enter an invalid library name or erase a library name, causing login to be impossible for everyone. If no one is logged in with root permissions, the file errors cannot be fixed.
use_first_pass option had been specified instead, and the password does not match the database or has not been entered, authentication fails. If no options are specified, each module acts independently, each requesting passwords for its own database. # # PAM configuration # # This pam.conf file is intended as an example only. # # Please note that this configuration file has only been modified for the # default services. Other services can be added or modified as # needed or desired.
su su dtlogin dtlogin dtlogin dtaction dtaction dtaction ftp ftp ftp rcomds rcomds rcomds sshd sshd sshd OTHER OTHER OTHER account sufficient account required account required account sufficient account required account required account sufficient account required account required account sufficient account required account required account sufficient account required account required account sufficient account required account required account sufficient account required libpam_unix.so.1 libpam_ldap.so.
D.2 Sample PAM configuration file typical for integration with Windows ADS This section includes a sample PAM configuration file typical for integration with Windows ADS. In the following sample pam.conf file, in the case of authentication (auth) management, each stacked service is authenticated first by the PAM_HPSEC module, then by the PAM_KERBEROS module, and finally by the PAM_UNIX module.
su auth sufficient libpam_krb5.so.1 su auth required libpam_unix.so.1 try_first_pass dtlogin auth required libpam_hpsec.so.1 dtlogin auth sufficient libpam_krb5.so.1 dtlogin auth required libpam_unix.so.1 try_first_pass dtaction auth required libpam_hpsec.so.1 dtaction auth sufficient libpam_krb5.so.1 dtaction auth required libpam_unix.so.1 try_first_pass ftp auth required libpam_hpsec.so.1 ftp auth sufficient libpam_krb5.so.1 ftp auth required libpam_unix.so.
OTHER OTHER OTHER password required password sufficient password required libpam_hpsec.so.1 libpam_krb5.so.1 libpam_unix.so.1 try_first_pass D.3 Sample pam.conf file for Trusted Mode in an HP server environment This section provides the sample PAM configuration file, /etc/pam.ldap.trusted. This file must be used as the /etc/pam.conf file if your directory server is the HP-UX Directory Server or Red Hat Directory Server and your LDAP client is in Trusted Mode.
ftp auth required libpam_unix.so.1 try_first_pass rcomds auth required libpam_hpsec.so.1 rcomds auth sufficient libpam_ldap.so.1 rcomds auth required libpam_unix.so.1 try_first_pass sshd auth required libpam_hpsec.so.1 sshd auth sufficient libpam_ldap.so.1 sshd auth required libpam_unix.so.1 try_first_pass OTHER auth required libpam_hpsec.so.1 OTHER auth sufficient libpam_ldap.so.1 OTHER auth required libpam_unix.so.1 try_first_pass # Account management # login account required libpam_hpsec.so.
login passwd passwd passwd dtlogin dtlogin dtlogin sshd sshd sshd OTHER OTHER OTHER password password password password password password password password password password password password password required libpam_unix.so.1 try_first_pass required libpam_hpsec.so.1 sufficient libpam_ldap.so.1 required libpam_unix.so.1 try_first_pass required libpam_hpsec.so.1 sufficient libpam_ldap.so.1 required libpam_unix.so.1 try_first_pass required libpam_hpsec.so.1 sufficient libpam_ldap.so.1 required libpam_unix.
su auth sufficient su auth required dtlogin auth required dtlogin auth sufficient dtlogin auth required dtaction auth required dtaction auth sufficient dtaction auth required ftp auth required ftp auth sufficient ftp auth required OTHER auth required # # Account management # login account required login account sufficient login account required su account required su account sufficient su account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required
D.5 Sample PAM configuration file for security policy enforcement in an HP server environment This section provides the sample PAM configuration file, /etc/pam.conf file configured to support account and password policy enforcement. In the /etc/pam.conf file, the PAM_AUTHZ library must be configured for the sshd and rcommds services under the account management role. The following is a sample PAM configuration file, /etc/pam.conf, used on an HP-UX 11i v2 (or later) system. It is a variant of the /etc/pam.
login account required su account required su account required su account sufficient su account required dtlogin account required dtlogin account required dtlogin account sufficient dtlogin account required dtaction account required dtaction account required dtaction account sufficient dtaction account required ftp account required ftp account required ftp account sufficient ftp account required rcomds account required rcomds account required rcomds account sufficient rcomds account required sshd account re
D.6 Sample PAM configuration file for security policy enforcement with Windows ADS This section provides a sample PAM configuration file to support account and password policy enforcement for secure shell (ssh) key pairs and r-commands. The PAM_AUTHZ library must be configured in the pam.conf file for the sshd and rcomds services under the account management section. The PAM_AUTHZ library must be specified as required. NOTE: The PAM_AUTHZ library should be configured in the pam.
su account sufficient libpam_krb5.so.1 su account required libpam_unix.so.1 dtlogin account required libpam_hpsec.so.1 dtlogin account required libpam_authz.so.1 policy=/etc/opt/ldapux/login.policy dtlogin account sufficient libpam_krb5.so.1 dtlogin account required libpam_unix.so.1 dtaction account required libpam_hpsec.so.1 dtaction account required libpam_authz.so.1 policy=/etc/opt/ldapux/login.policy dtaction account sufficient libpam_krb5.so.1 dtaction account required libpam_unix.so.
E Sample /etc/krb5.conf file This appendix provides a sample krb5.conf file, which supports several domains. This krb5.
Glossary Access Control Instruction See ACI. Access Control List See ACL. ACI Access Control Instruction. A specification controlling access to entries in a directory. ACL Access Control List. One or more ACIs. CA Certificate Authority. An entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate.
configuration of Active Directory domain controllers to provide Kerberos with authentication services. This enables Windows ADS to authenticate Kerberos clients regardless of the platform on which they reside. LDAP Lightweight Directory Access Protocol. A standard, extensible set of conventions specifying communication between clients and servers across TCP/IP network connections. See also See also SLAPD.. LDAP Data Interchange Format See LDIF.
See also RFC. RHDS Red Hat Directory Server. SLAPD Standalone LDAP Daemon. The University of Michigan standalone implementation of LDAP, without the need for an X.500 directory. SRV Service Record. A service record defined in an RFC that specifies information about available services. SSL Secure Socket Layer. A cryptographic protocol that provides a secure connection between a server and client over the network.
Index A access control rights within LDAP-UX domain, 38 access policy file, 202 ACI configuring, 65 configuring for key management, 86 configuring key management for a user, 87 configuring key management for Admin Proxy user, 86 default for HP-UX Directory Server, 65 default for Netscape Directory Server, 66 in LDAP-UX domain, 32, 33 ACL in LDAP-UX domain, 33 acred file configured by ldap_proxy_config tool, 280 overview, 21 uses of, 281 Active Directory configuration, 135 installing, 135 overview, 17 Admin
validating directory server identity, 263 certificate database files, 82 see also security created by autosetup, 30, 117 created by certutil, 82 Certificate Database Tool see certutil tool certificates created by guided installation, 30, 39, 117 certutil tool command reference, 389 creating security database files, 82 location, 278 chfn, 392 chsh, 392 ciphers SSL/TLS, 84 client access method modifying, 244 client management tools, 278 client profile modifying, 246 client startup file ldapux_client.
command reference, 353 disable_uid_range configuring, 105, 151, 157 display proxy user DN, 242 display_profile_cache program, 389 command reference, 280 DIT see directory information tree DNS domain defined, 22 domain configurations modifying for Windows ADS, 163 directory server administration, 23 directory server management, 23, 28 DNS, 22 LDAP-UX, 22 LDAP-UX domain, 31 NIS, 23 remote adding (Windows ADS), 163 removing (Windows ADS), 163 reordering search sequence of (Windows ADS), 163 various types of, 2
provisioning an existing directory server, 52 reconfiguring LDAP-UX for HP directory server environment, 55 for Windows ADS environment, 125 silent mode, 43, 120 what it does for HP directory server environment, 30 for Windows ADS environment, 117 H host keys, 258 HostAdmins group access control rights within LDAP-UX domain, 38 HP-UX Directory Server, 26 I id, 20 IETF, 65 ignore option, 108 index directory entries, 67 installation Active Directory, 135 customized HP directory server environment, 57 planni
command reference, 340 ldaphostmgr tool command reference, 329 ldapmodify tool, 357 modifying personal information, 392 ldappasswd tool, 356, 391 ldapschema tool command reference, 359, 361 overview, 359 ldapsearch tool, 356 ldapugadd, 218 ldapugadd tool command reference, 296 ldapugdel tool command reference, 324 ldapuglist, 218 ldapuglist tool command reference, 287 ldapugmod, 218, 313 ldapugmod tool command reference, 313 ldapux_client.
security policy status attributes, 215 validation process, 201 PAM configuration file (pam.conf) and pam_user.
for Windows ADS environment, 125 referral, 74 remote domain, 159 adding to a search scope, 163 configuration, 159 data retrieval, 159 removing from a search scope, 163 reordering search sequence, 163 remsh, 20 replica, 391 adding, 217 resolve duplicate entries, 162 RFC 2307, 436 POSIX schema importing, 70 installing, 65 planning considerations, 59 RFC 2307 POSIX schema, 436 installing, 65 planning considerations, 59 rlogin, 20 root login, 59, 61, 130, 131 S schema printer, 168 within LDAP-UX domain, 34, 36
user cannot log in, 253 TTL, profile, 71, 408 typographic conventions, 401 U uid2dn display user DN tool command reference, 389 unconfiguring LDAP-UX, 158 user and group management tools command reference, 283 user cannot log in, 253 user data, 130 base DN, 71, 142 importing into directory, 59, 60, 89, 151 UserAdmins group access control rights within LDAP-UX domain, 38 userpassword, 66 users, 64 access control rights within LDAP-UX domain, 39 adding, 222, 223 deleting, 229 listing, 220 managing, 218 modif
