LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
NOTE: The setup program has only been certified with HP-UX Directory Server version 8.1,
Red Hat Directory Server 8.0, Windows Server 2003 R2 Active Directory Server, and Windows
2008 Active Directory Server. For more information, see the LDAP-UX Integration B.05.00 Release
Notes.
3.4.6.1 Step 1: Install the PAM Kerberos product
LDAP-UX Client Services with Active Directory uses the Kerberos Authentication method. If not
already available on your system, you must install and configure PAM Kerberos. Some instructions
for doing this are included later in this section. Additional information can be found in the
Configuration Guide for Kerberos Client Products on HP-UX, available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
To support integration with Active Directory Server, a specific version of the PAM-Kerberos product
is required. Do not use the default Kerberos product that is installed with your HP-UX 11i v2 or v3
OS. Install the appropriate version from the HP Software Depot at the location provided later in
this section. For information about version support and required patches, see the section titled
“Kerberos support on HP-UX 11i v2 or v3” in the LDAP-UX Integration Release Notes.
If you want to also use SASL/GSSAPI for proxied authentication, see the LDAP-UX Integration
Release Notes for the version of Kerberos Client and any patches that are required. Instructions
for configuring SASL/GSSAPI are included in Section 7.3 (page 196). You must add ipnodes
service information in the /etc/nsswitch.conf file as follows:
ipnodes: dns files.
NOTE: For more information, see the Kerberos Client Release Notes available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
Both "PAM Kerberos" (J5849AA) and "Kerberos Client" (KRB5CLIENT) products can be downloaded
from:
http://software.hp.com
They are available at the following specific locations:
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849AA
https://h20392.www2.hp.com/portal/swdepot/
displayProductInfo.do?productNumber=KRB5CLIENT
For any last-minute changes, see the Kerberos CLient Release Notes.
You also must install the required patch. For patch infomation, see the LDAP-UX Integration Release
Notes available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software)
For information about other steps that you might need to perform to set up Kerberos support, see
Section 3.4.2 (page 128).
3.4.6.2 Step 2: Run the setup program
This section describes in detail the steps you must take to configure LDAP-UX Client Services with
Windows 2003 R2 or 2008 Active Directory. In summary, you must run the setup program to
extend the profile schema into Active Directory and to create specific profile entries. The setup
program also creates the necessary files on your client system and configures the proxy user.
3.4 Customized installation (setup) for a Windows ADS environment 139