LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

241

242

243

244

245

246

247

248

249

250

1. Add the new proxy user to your directory with appropriate access controls. For information

about adding a new proxy user to your directory, see the steps "Create a proxy user" and

"Set access permissions for the proxy user" in Section 2.4.4 (page 65).

For Windows ADS, additional steps are required to set up the HP-UX host as a Kerberos

service principal in the Windows domain. When you create a proxy, use either a user or

service principal as the proxy user. A Kerberos keytab file contains principals. For more

information, see Section 7.3 (page 196).

2. Configure each client to use the new proxy user by running

/opt/ldapux/config/ldap_proxy_config. For more information about this tool, see

Section 9.2.6 (page 280). Examples follow.

3. Run /opt/ldapux/config/ldap_proxy_config -p to display the proxy user you just

configured and confirm that it is correct.

4. Run /opt/ldapux/config/ldap_proxy_config -v to verify the proxy user is working.

NOTE: While the proxy user information stored in the pcred file is protected for root-only access

and not stored in plain text, it is not encrypted. Access to the pcred file must be restricted to

prevent discovery of the proxy user’s password. The same is true for the acred file.

Configuring a new proxy for an HP directory server

For example, the following command configures the local client for an HP directory server to use

a proxy user DN of uid=proxy,ou=people,o=hp.com with a password of abcd1234:

cd /opt/ldapux/config

./ldap_proxy_config -i

uid=proxy,ou=people,o=hp.com

abcd1234

NOTE: This command has no prompt. You must enter the DN and password on two separate

lines, as shown in this example.

The following command displays the current proxy user (just created by the preceding command):

./ldap_proxy_config -p

PROXY DN: uid=proxy,ou=people,o=hp.com

Configuring a new proxy for a Windows ADS

The following command configures the local client to use a proxy user DN of CN=Proxy User,

CN=Users, DC=cup, DC=hp, DC=com with a password of abcd1234:

cd /opt/ldapux/config

./ldap_proxy_config -i

CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com

abcd1234

NOTE: This command has no prompt. You must enter the DN and password on two separate

lines, as shown in this example.

The following command displays the current proxy user (just created by the preceding command):

./ldap_proxy_config -p

PROXY DN: CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com

Verfiying the proxy user can bind to the HP or Windows directory

The following command determines whether the proxy user can bind to the directory:

./ldap_proxy_config -v

File Credentials verified - valid

7.9 Managing proxy users 243