HP UX LDAP-UX Integration Software manual Appendix a Setting a Proxy User’s Access Rights

Page 24

Appendix A: Setting a Proxy User’s Access Rights

When using the LDAP-UX product to integrate HP-UX accounts into Active Directory, you need to configure a proxy user to retrieve user account information. The proxy user needs to be able to read all users' and groups' posix attributes. The following explains how you can grant the proxy user required access.

If you select the “Permissions compatible with pre-Windows 2000 services” as the default permissions for user and groups when you install Active Directory, then any authenticated user will be granted with "Read All Properties" and "Read Permissions" of user and group objects. As a result, any user can read all attributes of user and group objects, therefore, any domain user can be configured as a proxy user. However, for security reasons, this may not be your best choice.

If you select the “Permissions compatible only with Windows 2000 services” as the default permissions for user and groups when you install Active Directory, authenticated users will be granted the right to read all properties of their own objects, but limited properties of other objects. As a result, a user can read posix attributes of his own user and group objects, but not other users' posix attributes. There are two options which you, as an Windows 2000 server administrator, can grant the proxy user the permission to read all user's and group's posix attributes:

1)Configure the proxy user to be a member of "Pre-Windows 2000 Compatible Access" group. By doing this, you allow the proxy user to read all properties of user and group objects. Here is how to configure it:

a)Start Active Directory Users and Computers.

b)From the domain tree, click Builtin.

c)Click "Pre-Windows 2000 Compatible Access" and choose "Properties" from the Action menu.

d)From the "Pre-Windows 2000 Compatible Access Properties" dialog box, choose the "Members" tab.

e)Click "Add", from a list of all users and groups, choose the user name which you want to configure as a proxy user, or type in the proxy user name, then click "Add" (see the screen below).

f)Click "OK" to save the configuration.

2)Delegate the posix attribute read access to the proxy user. By doing this, you allow the proxy user to read only posix attributes of user and group objects:

a)Start Active Directory Users and Computers.

24

Page 23 Page 25
Image 24
Page 23 Page 25
Contents White Paper Legal Notices Copyright NoticesIntroduction HP-UX and Windows 2000 Integration Products PAM and NSSPAM Kerberos Kerberos Services Services for Unix SFUWindows Active Directory ADNIS Server How HP-UX and Windows 2000 Products Integrate NIS IntegrationHP-UX Client Windows 2000 ServerNIS+PAMKerberos HP-UX client Ldap Integration HP-UX Client Windows 2000 ServerLdap + PAMKerberos HP-UX Client Windows 2000 Server NIS vs. Ldap Integration Common Authentication Benefits of IntegrationCommon Data Repository Single Point of Account ManagementConfiguring Windows 2000 and HP-UX Using NIS Integration Install Active Directory into your Windows 2000 serverInstall SFU 2.0, including Server for NIS Add an account for HP-UX client machine to ADNIS Client Configuration PAM Kerberos ConfigurationAdd the Kerberos services to /etc/services Create /etc/krb5.confAdd a host key to the /etc/krb5.keytab file Change /etc/pam.conf to use PAM Kerberos Synchronize the HP-UX clock to the Windows 2000 clockPassword sufficient /usr/lib/security/libpamunix.1 Configuring Windows 2000 and HP-UX Using Ldap Integration Software InstallationActive Directory Configuration LDAP-UX Client Services Configuration Run the setup toolVerify profile cache Configure a proxy user Change Name Service Switch NSS to use LdapSecurity Administration Add and delete groupsAdd and delete user accounts Manage account and password policies Password expirationUser forced to change password Login procedureMigration Appendix a Setting a Proxy User’s Access Rights Read memberUid Read msSFUPassword Read msSFUName
Related manuals
Manual 214 pages 54.35 Kb Manual 65 pages 7.83 Kb
Top Page Image Contents