LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
Table 12 Kerberos-related tasks to perform (continued)
Section of this manualTask
Section 3.4.6.3 (page 149)Configure your HP-UX machine to authenticate using
PAM Kerberos
Section 3.4.5.4 (page 137)Create the keytab file for the HP-UX machine and set up
an identity mapping the host account
Section 3.4.6.2 (page 139)If not already done, perform any tasks recommended
prior to running the setup program, and then run the
program to configure LDAP-UX Client Services; during
the setup procedure (at step 17), you will be prompted
for the path to the Kerberos keytab file (if you do not
respond, the default is used)
Section 7.3 (page 196)(Optional) If you choose to use SASL/GSSAPI, configure
support for proxy user authentication
Section 7.11 (page 246)(Optional) For multiple domain support, merge and store
all service key files (created on each domain controller)
into /etc/krb5.keytab on your HP-UX host (this enables
the host to act as a KDC, storing the service key known
by every domain controller)
For more information about Kerberos as supported by HP-UX, refer to the following:
• Configuration Guide for Kerberos Products on HP-UX available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
• Kerberos Client Release Notes available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
3.4.3 Planning your customized installation
Before beginning your installation, plan how to set up and verify your Active Directory and your
LDAP-UX Client Services environment. Consider the following questions. Record your decisions and
configuration information in “Configuration worksheet” (page 403).
• Will Active Directory be set up with a single domain or multiple domains?
Starting from the release of B.03.00, LDAP-UX enables you to store your password and group
data in multiple domains. You must decide if you want to store data in a single domain or
multiple domains. If multiple domains are selected, decide how to group data into different
domains. Data could be grouped based on organization, geography, or any variable
appropriate to your environment.
• If multiple domains are selected, how will data be stored in the forest?
LDAP-UX Client Services treats the first domain configured as the local domain, and all other
domains in the forest as remote domains. When retrieving data, the search always starts from
the local domain. Frequently accessed information should be stored in the local domain.
For remote domains, information may be stored in all remote domains or only in specific
remote domains. Determine the appropriate structure for your environment.
• If multiple domains are selected, how will data be retrieved?
When multiple domains are selected, LDAP-UX Client Services has search rules for remote
domains. For information about configuring the search sequence, refer to “Windows Active
Directory multiple domains” (page 159).
3.4 Customized installation (setup) for a Windows ADS environment 129