LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
• If you choose to use TLS, set the enable_startTLS parameter to 1 in the /etc/opt/
ldapux/lldapux_client.conf file to enable TLS. To use SSL, set enable_startTLS
to 0 to disable TLS. By default, TLS is disabled.
NOTE: When configuring and setting up LDAP-UX, you will likely be prompted for credentials
of an administrator. If you are asked to enter the credentials (password) of a user, you should make
sure that the connection between your client and the HP-UX system (where you are running setup)
is secured and not subject to network eavesdropping. One option to protect such communication
might be to use the ssh protocol when connecting to the HP-UX host being configured.
1. Perform the steps described in Section 2.4.5.1 (page 69).
However, after step 11, you are asked whether you want to use SSL or not if the value of the
enable_startTLS parameter is 0 (disabled) or undefined. Enter yes to the following
question if you want to use SSL for the secure communication between LDAP clients and the
HP-UX Directory Server or Red Hat Directory Server. Enter no to the following question if you
don't want to use SSL. Skip to step 2.
Do you want to use SSL (y/n)?
Otherwise, if the value of the enable_startTLS parameter is 1 (enabled), you are asked
whether you want to use TLS or not. Enter yes to the following question if you want to use TLS
for the secure communication between LDAP clients and the HP-UX Directory Server or Red
Hat Directory Server. Enter no to the following question if you don't want to use TLS. Skip to
step 3.
Do you want to use TLS (y/n)?
2. Next, it will prompt you for selecting the authentication method for users to bind/authenticate
to the server.
You have a choice between SIMPLE (the default), SASL/GSSAPI, or SASL/DIGEST-MD5 if you
choose to not enable SSL. However, you have a choice between SIMPLE with SSL (the default),
or SASL/GSSAPI or SASL/DIGEST-MD5 with SSL if you choose to enable SSL.
LDAP-UX supports the SASL/GSSAPI or SASL/DIGEST-MD5 authentication method.
SASL/GSSAPI is only supported for LDAP-UX used with Windows ADS.
If you select SASL DIGEST-MD5, two additional prompts will appear. The first will prompt you
for a user mapping (UID, DN, or Other). The second will prompt you for a single realm to use
when retrieving user authentication information. If no realm is specified, user information will
be retrieved from the first realm the directory server offers.
For an overview of the various authentication methods you can configure with LDAP-UX Client
Services, including their strengths and weaknesses, see Section 2.4.6.1 (page 79).
3. Specify the host name and optional port number where your directory is running. If you choose
to use TLS, the default directory port number is 389. If you choose to use SSL, the default
directory port number is 636.
For high availability, each LDAP-UX client can look for user and group information in up to
three different directory servers. You are able to specify up to three directory hosts, to be
searched in order.
4. Reply no when asked if you want to accept the remaining default configuration parameters.
5. Select the client binding you want from “Configuration worksheet” (page 403). This determines
the identity that client systems use when binding to the directory to search for user and group
information.
6. If you configured a proxy user, enter the DN and password of your proxy user, from
“Configuration worksheet” (page 403).
If you want to use the SASL/DIGEST-MD5 authentication method, you must configure a proxy
user with its credential level.
2.4 Customized installation (setup) for an HP directory server environment 73