5.Verify that the accounts branch works by entering the following command, substituting the values you found in step 1 for searchbase, machine_dn, and machine_pass:

/usr/local/bin/ldapsearch \

-D "machine_dn" -w "machine_pass" \ -b "searchbase" \

ou=accounts

6.Use the Administration utility (or manually edit the /etc/ldapcd.conf file) to add the following entry, substituting the value you found in step 1 for searchbase:

userbranch: ou=accounts,searchbase

Note:

After you add a default user or group branch to the /etc/ldapcd.conf file, the Administration utility and the LDAP utilities in /usr/internet/ldap_tools use this branch by default. As a result, other entries that were created before you added the group or user branch might be masked.

Extended LDAP Schema for UNIX Account Information

Internet Express depends on the existence of certain object classes and attributes being present in the directory server. These items are defined by RFC 2307 and are present when you use a directory server installed by Internet Express.

If you are planning on using a directory server not installed by Internet Express, you will need to verify that required schema elements are present. The required schema elements are documented in RFC 2307. This RFC can be found at:

http://www.faqs.org

If you want to use schema objects other than those defined in RFC 2307, and are planning on using the Internet Express LDAP authentication module, you will have to change the default configuration to recognize your custom objects and attributes. The needed changes can be made using the Internet Express system administration user interface (see Section : Default Configuration for the LDAP Module for System Authentication).

The Internet Express kit includes LDAP utilities that work with the RFC 2307 schema objects supplied by Internet Express. See Section : Utilities for Maintaining User Information in the LDAP Directory Server for information on these utilities. Note that these LDAP tools are sensitive to the directory servers schema and so will not be able to support a schema that differs greatly from the RFC 2307 definition. A provided tool, /usr/internet/ldap_tools/ldap_check, can be used to verify the schema once the configuration changes have been made.

The LDAP utilities require the userPassword attribute that can store and return unchanged the supplied value which is in the form:

{crypt}crypted-string

where {crypt} is a keyword or phrase used to indicate the type of password encryption for the passwd file and crypted-stringis the encrypted password.

Directory servers provided by Internet Express properly handle this feature. Other directory servers, such as Oracle's Internet Directory will interpret the supplied string as a password to be encrypted and will return a value that is not compatible with the standard BSD crypt mechanism. When using such a directory server, it is necessary to create a schema object similar to the RFC 2307 unixAccount object, except with another attribute substituted for the standard attribute userPassword. This substitute attribute should be of the type case exact string. Be sure to use the substituted attribute name in the LDAP Caching Daemon Configuration File.

Example 3 shows sample user and group object class definitions.

70 User Authentication

Page 70
Image 70
HP UX Internet Express Software manual Extended Ldap Schema for Unix Account Information, Userbranch ou=accounts,searchbase