LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

241

242

243

244

245

246

247

248

249

250

7.10.3 Creating a new configuration profile

To create a new profile, run /opt/ldapux/config/setup. When setup asks you for the

distinguished name (DN) of the profile, give a DN that does not exist and setup will prompt you

for the parameters to build a new profile. The setup program also configures the local client to

use the new profile.

Alternatively, you could use your directory administration tools to make a copy of an existing profile

and modify it.

You may also use the interactive tool create_profile_entry to create a new profile, as follows:

cd /opt/ldapux/config

./create_profile_entry

Once you create a new profile, configure client systems to use it, as described in Section 7.10.4

(page 246).

7.10.4 Specifying a different profile for client use

Each client uses the profile specified in its startup file /etc/opt/ldapux/ldapux_client.conf.

To make a client use a different profile in the directory, edit this file and change the DN specified

in the PROFILE_ENTRY_DN line. Then download the profile as described in Section 2.5.8

(page 111).

7.11 Creating an /etc/krb5.keytab file

In the ADS multiple domain environment, your HP-UX client machine will communicate with multiple

Windows 2003 R2 or 2008 domain controllers. To set up Kerberos authentication, your HP-UX

host needs to have a service key known by every domain controller; as such, the host acts as a

KDC. The service key is created on Windows 2003 R2 or 2008 Server using ktpass, as described

in Section 3.4.5 (page 135). After you create the service key file on each domain controller, you

must securely transfer it to your HP-UX machine. All service key files must be merged and stored

in /etc/krb5.keytab.

For example, if you integrate LDAP-UX with ADS multiple domains so that users from DomainA,

DomainB, and DomainC can log into your HP-UX client machine, you must create the service key

on each domain controller (say domainA.keytab on DomainA, domainB.keytab on DomainB

and domainC.keytab on DomainC), then transfer those files into your HP-UX machine. Finally,

merge all three service key files to create /etc/krb5.keytab. Use ktutil to merge service

key files on your HP-UX machine:

# /usr/sbin/ktutil

ktutil: rkt domainA.keytab

ktutil: rkt domainB.keytab

ktutil: rkt domainC.keytab

ktutil: wkt krb5.keytab

ktutil: quit

Use klist -k to show the different entries in the keytab file /etc/krb5.keytab, which should

be readable only by the supervisor.

For a list of all steps that you might need to perform to set up Kerberos support, see Section 3.4.2

(page 128).

7.12 Performance considerations

This section describes ways to improve network and server performance. For additional performance

information, see the LDAP-UX Integration Performance and Tuning Guidelines white paper at:

http://www.hp.com/go/hpux-security-docs

246 Administering LDAP-UX Client Services