LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
12. Next, it will prompt you for selecting the authentication method for users to bind/authenticate
to the server. You must select the authentication method from one of the following prompts
based on your selection in step 11:
• For TLS, you have a choice between SIMPLE (the default), or SASL/GSSAPI if you choose
to not enable TLS. However, you have a choice between SIMPLE with TLS (the default),
or SASL/GSSAPI with TLS if you choose to enable TLS. Skip to step 13.
• For SSL, you have a choice between SIMPLE (the default), or SASL/GSSAPI if you choose
to not enable SSL. However, you have a choice between SIMPLE with SSL (the default),
or SASL/GSSAPI with SSL if you choose to enable SSL. Skip to step 13.
For an overview of the various authentication methods you can configure with LDAP-UX Client
Services, including their strengths and weaknesses, see Section 2.4.6.1 (page 79).
13. Next, enter the host name and port number of the directory where your account and group
data is, from “Configuration worksheet” (page 403). You can enter up to three hosts, to be
searched in order.
14. Enter the base DN where clients should search for name service data, from “Configuration
worksheet” (page 403).
15. Enter Yes when prompted to ask if you want to accept the remaining default configuration
parameters.
IMPORTANT: If you choose to accept remaining defaults, the memberUid attribute will be
used to define HP-UX group membership. However, by default, Windows uses the member
attribute to define group membership. If you want to share HP-UX groups with Windows
groups, supporting attribute mapping for dynamic groups or X.500 group membership services,
select No (do not accept remaining defaults) and modify the group service and change the
memberUid mapping to the member attribute.
16. Next, if you do not use SASL/GSSAPI authentication, skip this step and go to step 19.
Otherwise, it will prompt you for setting up principals used for SASL/GSSAPI authentication
as follows:
There are two ways to set up principals used for SASL/GSSAPI
authentication for LDAP-UX name service proxy authentication:
* Host or service principal defined in a keytab file (such as
/etc/krb5.keytab)
* Proxy principal defined in LDAP-UX proxy credential file
(/etc/opt/ldapux/pcred)
The principal defined in a keytab file can be shared among
several services, such as Kerberized Interface Service or
LDAP-UX using the host principal for authentication. The
LDAP-UX proxy principal is used solely for LDAP-UX.
It will prompt you for selecting the type of principal. Enter H if you want to use a host/service
principal. Enter P if you want to use a proxy principal. By default, the host or service principal
is used.
17. Next, it will prompt you for entering the path to the Kerberos keytab file. Enter the keytab file
if you want to specify the keytab file to be used. If no file is specified, LDAP-UX will use the
default keytab file configured in /etc/krb5.conf using "default_keytab_name". If
there is no default keytab file configured in /etc/krb5.conf, then the keytab file
/etc/krb5.keytab will be used.
18. Next, it will prompt you for specifying an alternate principal name. If you do not want to use
the default principal name, enter an alternate principal name. For example,
host/hpntc20.cup.hp.com@CUP.HP.COM.
LDAP-UX uses ldapux/<FQHN>@<REALM> as the default service principal. If it does not exist,
the host/<FQHN>@<REALM> in the keytable file is the principal to be used.FQHN stands
for Fully Qualified Host Name.
142 Installing and configuring LDAP-UX Client Services for a Windows ADS environment