LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
• Do you want to use SSL or TLS for secure communication between LDAP clients and the
Windows 2003 R2 or 2008 Active Directory Server?
The LDAP-UX Client Services supports SSL or TLS with password as the credential, using either
simple or SASL/GSSAPI authentication (SASL/GSSAPI is available for the Windows 2003
R2 or 2008 Active Directory Server only) to ensure confidentiality and data integrity between
the clients and servers. StartTLS is a new extension operation of TLS (Transport Layer Security)
protocol. You can utilize the startTLS operation to set TLS secure communication over an
unencrypted ( a regular) LDAP port. The secure connection can also be established on an
encrypted LDAP port when using SSL. By default, SSL and TLS are disabled. For detailed
information, refer to Section 3.4.7 (page 151).
• What authentication method will you use when you choose to enable TLS?
You have a choice between SIMPLE (the default), or SASL/GSSAPI with TLS.
LDAP-UX Client Services includes support for the SASL Generic Security Services Application
Programming Interface (GSSAPI) authentication method using Kerberos v5. Currently, Kerberos
v5 is the only security mechanism that is implemented to work with GSSAPI. For this release,
we only provide SASL/GSSAPI authentication method support for Microsoft Windows 2003
R2 or 2008 Active Directory. SASL/GSSAPI authentication is only for proxy user authentication
for the name service subsystem. Host, service or other principles may be used for the LDAP-UX
proxy identity. For more information about SASL/GSSAPI support, see Section 7.3 (page 196).
For an overview of these and other authentication methods you can configure with LDAP-UX
Client Services, including their strengths and weaknesses, see Section 2.4.6.1 (page 79).
• What authentication method will you use when you choose to enable SSL?
You have a choice between SIMPLE (the default), or SASL/GSSAPI with SSL.
• What authentication method will you use when you choose to not enable SSL or TLS?
You have a choice between SIMPLE (the default), or SASL/GSSAPI.
For an overview of these and other authentication methods you can configure with LDAP-UX
Client Services, including their strengths and weaknesses, see Section 2.4.6.1 (page 79).
• Do you want to specify the keytab file when you use SASL/GSSAPI authentication.
LDAP-UX Client Services allows you to specify the keytab file when you use the SASL/GSSAPI
authentication. You can run the setup program to specify the keytab file. If no file is specified,
LDAP-UX will use the default keytab file configured in /etc/krb5.conf using
default_keytab_name. If there is no default keytab file configured in /etc/krb5.conf,
then the keytab file /etc/krb5.keytab file is used. For information about the /etc/
krb5.conffile, see “Sample /etc/krb5.conf file” (page 434).
• Do you want to store and manage automount maps in the directory server? If so, the setup
program can be used to import the new automount schema into your directory server.
LDAP-UX Client Services B.04.10 and later supports the automount service under the AutoFS
subsystem. This feature enables you to store or retrieve automount maps in or from a directory
server. LDAP-UX Client Services supports the new automount schema based on RFC 2307-bis.
The setup program will import the new automount schema into your directory server.
For the detailed information about AutoFS with LDAP support, see Section 3.5.3 (page 152).
• What name services will you use? How will you set up /etc/nsswitch.conf? What order
do you want NSS to try services?
NSS is the Name Service Switch, providing naming services for user names, group names,
and other information. You can configure NSS to use files, LDAP, or NIS in any order and
with different parameters. Refer to /etc/nsswitch.ldap for an example nsswitch.conf
3.4 Customized installation (setup) for a Windows ADS environment 133