LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
krb5.conf file” (page 434)). If there is no default keytab file configured in /etc/krb5.conf,
then the keytab file /etc/krb5.keytab will be used.
Each service principal must have a service key known by every domain controller, which also acts
as a KDC.
Use the ktpass tool to create the keytab file and set up an identity mapping the host account.
The following is an example showing how to run ktpass to create the keytab file for the HP-UX
host myhost with the KDC realm cup.hp.com:
C:> ktpass -princ host/myhost.cup.hp.com@CUP.HP.COM -mapuser myhost -pass
mypasswd -out unix.keytab
7.3.4 Downloading SASL/GSSAPI profiles
LDAP-UX Client Services does not support automatic downloading of the LDAP-UX profile when
used with SASL/GSSAPI authentication using a host or service principal, where that principal's
key is stored in a Kerberos keytab file. This limitation impacts the ability of the LDAP-UX product
to support the Profile TTL (Time To Live) feature, which automatically downloads a profile when its
profileTTL time has expired.
You can download profiles manually using the get_profile_entry command, as long as you
provide a principal and password on the command line. The following command shows an example
of how to download the profile manually. If your profile changes frequently, you may want to place
this in a script that is called periodically by cron.
/opt/ldapux/config/get_profile_entry -s NSS -D \
"<administrator@my.domain.org>" -w "<adminpassword>"
7.3.5 Changing authentication methods
If you want to switch from your current authentication method, such as from SIMPLE to SASL/GSSAPI,
TLS:SIMPLE or TLS:SASL/GSSAPI, you must restart the ldapclientd daemon after making the
configuration changes. This assures that the proper GSSAPI, Kerberos, or SSL initialization is
completed.
7.4 Configuring PAM_AUTHZ login authorization
PAM is an industry standard authentication framework that is supplied as an integrated part of the
HP-UX system. PAM gives system administrators the flexibility of choosing any authentication service
available on the system to perform authentication. The PAM framework also enables new
authentication service modules to be plugged in and made available without modifying the PAM
enabled applications. The library /usr/lib/security/libpam_authz.so.1 (and
architecture-dependent library paths) provides the access control functionality described in this
section. You can add it to your existing /etc/pam.conf as shown in Section D.5 (page 430) (for
an HP directory server environment) and Section D.6 (page 432) (for a Windows ADS environment).
NOTE: The PAM_AUTHZ library should be configured in the pam.conf authentication
management and account management sections only. The PAM_AUTHZ module is an authorization
module only (not authentication). It should be listed before the PAM_LDAP or PAM_KERBEROS
libraries and flagged as required.
This section assumes you have some knowledge of how to configure PAM libraries in the /etc/
pam.conf file. For more information about configuring libraries in the pam.conf file, see “Sample
PAM configuration (pam.conf) files ” (page 420). In addition, see the Managing Systems and
Workgroups: A Guide for HP-UX System Administrators document, available at the following
location:
www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
7.4 Configuring PAM_AUTHZ login authorization 199