LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
3.4.6.6 Step 6: Configure the disable login flag
Optionally, configure the disable login flag (disable_uid_range).
The default is to allow all users stored in the directory to log in. To disallow specific users to log
in to a local system, you can configure the disable_uid_range flag in /etc/opt/ldapux/
ldapux_client.conf file, as described in Section 3.5.4.1 (page 157).
3.4.7 Configuring LDAP-UX Client Services with SSL or TLS support
The LDAP-UX Client Services supports either SSL (Secure Socket Layer) or TLS (Transport Layer
Security) to secure communication between LDAP clients and the Active Directory Servers.
With SSL, an encrypted connection can be established on an encrypted port, 636. The LDAP-UX
Client Services supports SSL with password as the credential, using either simple bind or
SASL/GSSAPI authentication to ensure confidentiality and data integrity between clients and
servers. In addition, SSL/TLS can be used to validate the identity of the Windows Active Directory
Server if the privacy of the server’s and CA’s private keys can be assured. The domain administrator
can choose the authentication mechanism.
The LDAP-UX Client Services supports SSL communication with Microsoft Windows 2003 R2 and
2008 Active Directory Server (ADS), and HP-UX Directory Server 8.1 (or later), and Red Hat
Directory Server 8.0. For detailed information about how to enable SSL communication over LDAP
for your Windows Active Directory Server, see the Microsoft Knowledge Base Article at:
http://support.microsoft.com/kb/321051
Starting with LDAP-UX Client Services B.04.10, the product supports a new extension operation
of TLS protocol called startTLS to secure communication between LDAP clients and the Windows
Active Directory Server. An encrypted session can be established on an unencrypted port, 389.
If an encrypted port is used, it will fail to establish the secure connection. The TLS protocol provides
administrators better flexibility for using TLS in their environment by allowing the use of an
unencrypted LDAP port for communication between the clients and the server. LDAP-UX supports
TLS with password as the credential, using either simple bind or SASL/GSSAPI authentication to
ensure confidentiality and data integrity between clients and servers.
The LDAP-UX Client Services supports TLS communication with Microsoft Windows 2003 R2 or
2008 Active Directory Server (ADS), HP-UX Directory Server 8.1 (or later), and Red Hat Directory
Server 8.0.
For more information about configuring LDAP-UX Client Services with SSL or TLS support, see
Section 2.4.6.2 (page 80) and the ensuing sections.
3.5 Postinstallation configuration tasks
This section includes tasks you can perform after performing your guided or customized installation.
3.5.1 Importing name service data into your directory
The next step is to import your user, group, and other services data into your Active Directory.
When planning to import your data, consider the following:
• If you are using NIS, the LDAP-UX migration scripts take your NIS maps and generate LDIF
files. These scripts can then import the LDIF files into your directory, creating new entries in
the directory.
If you are not using NIS, the LDAP-UX migration scripts can take your user, group, and other
data from files, generate LDIF, and import the LDIF into your directory to work with Windows
Services for Unix.
• If you integrate the name service data into your directory, the migration scripts might be helpful
depending on where you put the data in your directory. You could use them just to generate
LDIF, edit the LDIF, then import the LDIF into your directory. For example, you could manually
3.5 Postinstallation configuration tasks 151