LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
13. Modifies the LDAP-UX client daemon configuration file /etc/opt/ldapux/
ldapclientd.conf to:
• Enable the LDAP-UX client daemon ldapclientd to launch automatically whenever the
system is rebooted ([StartOnBoot] is defined with enable=yes).
• Set iproxy_is_restricted=yes in the [general] section, which indicates that the
host entry created in step 10 is not privileged. This setting enables additional capabilities
provided by the ldapuglist and ldaphostlist tools.
A sample of the ldapclientd.conf file is included in Section C.4 (page 417).
14. Starts the LDAP-UX client daemon (ldapclientd) and the central configuration service
daemon (ldapconfd).
2.3.2 Principles of the LDAP-UX domain
When used for installing LDAP-UX in an environment (other than Windows) for the first time, the
guided installation defines the management framework for, and actually creates, an LDAP-UX
domain. An LDAP-UX domain is a collection of users, groups, and hosts that can be managed in
the LDAP directory server, using the user and host management tools described in Section 7.8
(page 235).
NOTE: This section does not apply to guided installations of LDAP-UX into a Windows ADS
domain. An LDAP-UX domain is not a Windows domain. A Windows ADS domain already defines
a directory information tree, information model, and security policy. The LDAP-UX domain defines
similar elements.
An LDAP-UX domain is defined by an LDAP-UX configuration profile. All hosts configured to point
to the same LDAP-UX configuration profile are considered part of that same domain. The
configuration profile follows the standard defined by RFC 4876. As such, it can be used to define
the same domain for platforms aside from HP-UX. (For more information about configuring the
profile, see Section 7.10.2 (page 245).) While the guided installation defines this configuration
profile automatically, any configuration profile can be considered the basis of an LDAP-UX domain.
The guided installation uses the host management tools to automatically provision into the directory
server any relevant information about HP-UX hosts contained in the domain. Creating host entries
in the directory server serves the following purposes:
• As part of the secured framework described in Section 2.3.2.3 (page 37), the guided
installation assures that data is protected from anonymous access (anonymous access is defined
when a new HP-UX Directory Server instance is created.) Directory server data is available
only to known clients. When the OS is acting on behalf of its users, it needs a proxy identity
to represent the users of the host. The host entry is used to represent that proxy identity.
• As part of the new ssh key management feature, when the guided installation creates the new
host entry, it also uploads the host ssh public keys. This simplifies management of ssh keys in
the directory server. With HP Secure Shell A.05.50 or later, the host entry can be used to
assure trust between hosts managed in the domain. For more information about managing
ssh key management, see “Managing ssh host keys with LDAP-UX (HP directory servers only)”
(page 258).
To assure that the LDAP directory server can be trusted as a secure repository for host users and
groups, the identity of the directory server must be validated. Being SSL-enabled (as is required),
the directory server can provide that validation with SSL certificates. In addition, through SSL
encryption, it can assure that private information such as user passwords are not intercepted while
they are in transit.
2.3 Guided installation (autosetup) for an HP directory server environment 31