Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
61626364656667686970
For information about how to import your information into the directory, see Section 2.5.1
(page 89). For information about the migration scripts, see Section 9.6 (page 383) .
CAUTION: If you place a root login (any account with UID number 0) in the LDAP directory,
that user and password will be able to log in as root to any client using LDAP-UX Client
Services. Keeping the root user in /etc/passwd on each client system enables local
management of the root user. This can be especially useful when the network is down, because
it allows local access to the system when access to the directory server is unavailable.
It is not recommended that you put the same users both in /etc/passwd and in the directory.
This could lead to conflicts and unexpected behavior.
Note that LDAP-UX Client Services (version B.05.00 or later) offers offline, long-term credential
caching that enables LDAP-UX to authenticate users attempting to log in to the system when
credential information is unavailable from the directory server (when the server or network is
down, for example). For information about this feature and how to configure it, see
Section 2.5.4 (page 101).
NOTE: If you are planning a first-time deployment of managing user and group data in the
directory server, HP suggests that you devise a strategy to avoid UID number and GID number
overlap. Most likely, you will need to continue managing some accounts local to the hosts.
Often the root user, and sometimes application accounts (such as www for the httpd process)
remain managed in the local /etc/passwd file. Devise a convention establishing a range
for UID numbers and one for GID numbers such that accounts and groups in LDAP do not
conflict with those on local hosts. For example, accounts in LDAP could all have UID numbers
greater than 1000, while accounts on local hosts would be restricted to UID numbers less than
1000.
For information about ensuring that user and group numbers to be migrated or imported into
a new directory server do not collide with the ones created by the guided installation, see
Section 2.5.1.1 (page 90).
How many profiles do you need?
A configuration profile is a directory entry that contains configuration information shared by
a group of clients. The profile contains the information clients need to access user and group
data in the directory, for example:
Your directory server hosts
Where user, group, and other information is in the directory
The method clients use to bind to the directory
Other configuration parameters such as search time limits
If these parameters are the same for all your clients, you need only one profile. You need at
least one profile per directory server or replica. In general, to simplify maintenance, it is a
good idea to have as few profiles as necessary. To see what is in a profile and help you
decide how many different profiles you need, look at the posixNamingProfile object class in
“LDAP-UX Client Services object classes” (page 406).
If you are familiar with NIS, one possibility is to create a separate profile for each NIS domain.
Where in your directory will you put your profile?
The profile contains directory access information. It specifies how and where clients can find
user and group data in the directory. You may put the profile anywhere you want, as long as
the client systems can read it. For example, you might put it near your user data, or you could
put it in a separate administrative area. To simplify access permission, put the profile in the
same directory as your user and group data. Clients must have access to both the profile and
2.4 Customized installation (setup) for an HP directory server environment 61