LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

191

192

193

194

195

196

197

198

199

200

Keytab name: FILE:/etc/krb5.keytab

Principal

--------------------------------------------

1 ldapux/hpntc10.cup.hp.com@HP.COM

1 host/hpntc10.cup.hp.com@HP.COM

7.3.2.3 Configuring a principal as the proxy user

The following describes three different ways to configure a principal as the proxy user:

• Configure a user principal:

Use ldap_proxy_config -i (or use the -d and -c options) to enter a Kerberos user

principal and its credential (password).

The following is an example using the ldap_proxy_config -i command with proxy user

without the realm information proxyusr and password proxywd.

cd /opt/ldapux/config

./ldap_proxy_config -i

proxyusr

proxywd

NOTE: This command has no prompt. You must enter the proxy user proxyusr and password

proxywd on two separate lines, as shown in this example.

The following is an example to use ldap_proxy_config -d -c command to create a

proxy user with the realm information john@CUP.HP.COM and the proxy user credential

proxycrd:

cd /opt/ldapux/config

./ldap_proxy_config -d john@CUP.HP.COM -c proxycrd

• Configure a service or host principal:

Use ldap_proxy_config with the -i or -d option to specify the service or host principal

with or without entering a password. If the password is provided, LDAP-UX will retrieve the

password information from /etc/opt/ldapux/pcred file. When no password is specified,

LDAP-UX Client Services assumes the proxy user is a service or host principal and retrieves

the credential information from the keytab file.

The following is an example using the ldap_proxy_config -i command to create a host

principal hpntcA.cup.hp.com:

cd /opt/ldapux/cinfig

./ldap_proxy_config -i host/hpntcA.cup.hp.com@HP.COM

This command has no prompt. You must enter the host principal on a separate line, as shown.

• Use only the keytab file without configuring proxy:

With this method, any old pcred file must be deleted. LDAP-UX Client Services uses ldapux/

<FQHN>@<REALM> as the default service principal. If it does not exist, the host/

<FQHN>@<REALM> in the keytable file is the principal to be used. FQHN stands for Fully

Qualified Host Name.

The principal defined in a keytab file can be shared among several services, such as Kerberized

Interface Service or LDAP-UX using the host principal for authentication. The LDAP-UX proxy principal

is used solely for LDAP-UX.

7.3.3 Keytab file

LDAP-UX enables you to specify the keytab file when you use the SASL/GSSAPI authentication. To

specify the keytab file, run the setup program or use the kerberos_keytab_file option in

/etc/opt/ldapux/ldapux_client.conf. If you do not specify a keytab file, LDAP-UX will

use the default file specified in /etc/krb5.conf (for a sample of this file, see “Sample /etc/

198 Administering LDAP-UX Client Services