LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

NOTE: You can install LDAP-UX into an existing LDAP B.04.xx environment; however, the
hosts search descriptor serviceSearchDescriptor in the LDAP-UX configuration profile
will likely define an incorrect location for host entries (it should be cn=Computers). Host
tools expect the correct location for host entries to be defined in the configuration profile. If
the location is incorrect, the ldaphostmgr tool will add hosts to an incorrect location in the
directory tree.
The guided installation (with LDAP-UX B.05.00 or later) configures the profile with the correct
location for host entries. If you are installing LDAP-UX into an LDAP-UX environment that has
not been set up by the guided installation, ensure that the correct location is specified in the
profile (normally, this is cn=Computers container). To determine the location configured for
hosts in the LDAP-UX configuration profile, you can use the following command:
/opt/ldapux/bin/ldapcfinfo -t hosts -b
If you need to modify the configuration profile, you can modify the
serviceSearchDescriptor attribute for the hosts service. For information about how
to modify the LDAP-UX configuration profile, see Section 7.10.2.2 (page 245).
3.3.1 What autosetup does
As mentioned, the guided installation (autosetup) greatly simplifies the configuration process.
The procedure performs numerous activities automatically, with minimal input required from whoever
runs the script, including the following:
1. Automatically detects existing Active Directory Servers by querying the DNS server of a
Windows domain for any registered Active Directory Servers, and then tries to connect to the
Active Directory Server with a search request. If multiple SRV resource records are returned,
autosetup stops searching after it makes a successful connection. If a directory server cannot
be found by DNS, you are prompted for the host name and port number for an existing
directory server in your environment or asked if you want to create a new directory server
instance on the local host.
2. To guarantee confidentiality and data integrity, autosetup uses the StartTLS extended
operation on a regular LDAP connection with simple authentication (bind DN and password).
3. To trust the certificate presented by the server, autosetup determines whether the local HP-UX
host has a certificate database that includes the CA certificate that issues the server certificate.
4. If the CA certificate has not been installed, to create certificate and key database files
(cert8.db and key3.db), autosetup obtains the server certificate from the Active Directory
Server, and then downloads all the trusted CA certificates from the NTAuth store in the Active
Directory Server. The autosetup script places in the cert8.db database file the one CA
certificate that signed the SSL server certificate of the directory server. The cert8.db file
stores public keys, while the key3.db file stores private keys. A warning message is displayed
to indicate that an untrusted method is being used to obtain the CA certificate.
5. Because a configuration profile can be shared by LDAP-UX clients, autosetup searches for
an existing profile entry in the Active Directory Server, using a standard profile path
(cn=ldapuxprofile,cn=system,dc=...). If the default profile entry exists, autosetup
downloads it into an LDIF file (/etc/opt/ldapux/ldapux_profile.ldif) and creates
a binary profile file (/etc/opt/ldapux/ldapux_profile.bin) based on the LDIF file.
6. If the default profile entry does not exist, autosetup searches for any other profile entries
that might be saved. If any are found, you are prompted to select a configuration profile to
download or to create a default profile entry.
7. Before adding the profile entry, autosetup determines whether the schema defined in RFC
4876 exists in the Active Directory Server. If the schema does not exist, then the script extends
the Active Directory Server schema.
3.3 Guided installation (autosetup) for a Windows ADS environment 117