Introduction | HP UX LDAP-UX Integration Software specification

	Introduction
	Overview of LDAP-UX Client Services
	directory, as shown below. LDAP adds greater scalability,
	interoperability with other applications and platforms, and less network
	trafﬁc from replica updates.
Figure 1-2	A Simpliﬁed LDAP-UX Client Services Environment

LDAP Directory Server

Updates LDAP Directory Server Replica

LDAP Requests

LDAP-UX client

LDAP-UX client

LDAP-UX Client Services supports the following name service data: passwd, groups, hosts, rpc, services, networks, protocols, publickeys, automount, netgroup. See the LDAP-UX Integration B.04.00 Release Notes for any additional supported services.

How LDAP-UX Client Services Works

LDAP-UX Client Services works by leveraging the authentication mechanism provided in the Pluggable Authentication Module, or PAM, and the naming services provided by the Name Service Switch, or NSS. See pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for information on PAM. For information on NSS, see switch(4) and “Conﬁguring the Name Service Switch” in Installing and Administering NFS Services at http://docs.hp.com/hpux/communications/#NFS.

These extensible mechanisms allow new authentication methods and new name services to be installed and used without changing the underlying HP-UX commands. And, by supporting the PAM architecture, the HP-UX client becomes truly integrated in the LDAP environment. The PAM_LDAP library allows the HP-UX system to use the LDAP directory as a trusted server for authentication. This means that

Chapter 1

3

Image 17

HP UX LDAP-UX Integration Software manual How LDAP-UX Client Services Works, Introduction, Trafﬁc from replica updates

Contents

Manufacturing Part Number J4269-90071 E0207 Edition Legal Notices Contents Administering LDAP-UX Client Services Command and Tool Reference User Tasks Tables Viii Figures Figures New and Changed Documentation in This Edition Intended Audience What’s in This document Publishing History Xiii HP Encourages Your Comments Typographical Conventions Chapter Overview of LDAP-UX Client Services Simpliﬁed NIS Environment Overview of LDAP-UX Client Services Trafﬁc from replica updates How LDAP-UX Client Services WorksSimpliﬁed LDAP-UX Client Services Environment Introduction That use PAM and NSS Examples of Commands and SubsystemsCommands that use Commands that use PAM Login, ftpd Ls, who Overview of LDAP-UX Client Services Local Start-up File and the Conﬁguration Proﬁle Overview of LDAP-UX Client Services Chapter Before You Begin LDAP-UX Client Services Summary of Installing and Conﬁguring Summary of Installing and Conﬁguring Optionally modify the /etc/opt/ldapux/pamauthz.policy Plan Your Installation Plan Your Installation Still log in to the system Share user names and passwords with other applications, Example Directory Structure Plan Your Installation Plan Your Installation Section must be set to yes. If the start option is enabled, Plan Your Installation Install LDAP-UX Client Services on a Client Install LDAP-UX Client Services on a Client Step Conﬁgure Your DirectoryConﬁgure Your Directory Conﬁgure Your Directory Grant read access of all attributes of the posix schema Conﬁgure Your Directory Import Name Service Data into Your Directory Import Name Service Data into Your Directory Directory Steps to Importing Name Service Data into Your Conﬁgure the LDAP-UX Client Services Conﬁgure the LDAP-UX Client Services Conﬁgure the LDAP-UX Client Services Quick Conﬁguration Required to start the services Simple Sasl DIGEST-MD5 Conﬁguration Parameter Default Values Conﬁgure the LDAP-UX Client Services Custom Conﬁguration Specify up to three directory hosts, to be searched in order Specify the service you want to map? Specify the attribute you want to map You type 0 to exit this menu for the following question Answer Y instead of the default N For the question You want to create a custom search descriptor for Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁgure the LDAP-UX Client Serivces with SSL Support Steps to Download the CA Certiﬁcate from Mozilla Browser Conﬁguring the LDAP-UX Client to Use SSL Mail users, and Trust the CA to identify software developers Use the rm command to remove the old database ﬁles Steps to create database ﬁles using the certutil utility Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁgure LDAP-UX Client Services with Publickey Support Conﬁgure LDAP-UX Client Services with Publickey Support October Enhanced Publickey-LDAP Software for HP-UX 11i v1 orJune Conﬁguring an Admin Proxy User Using ldapproxyconﬁg Extending the Publickey Schema into Your DirectoryAdmin Proxy User Password for an Admin Proxy User Setting ACI for Key ManagementSetting ACI for an Admin Proxy User An Example Setting ACI for a User Conﬁguring serviceAuthenticationMethod Procedures Used to Conﬁgure serviceAuthenticationMethod Authentication Methods ServiceAuthenticationMethodkeyservsasl/digest-md5 Conﬁguring Name Service Switch Conﬁgure LDAP-UX Client Services with Publickey Support AutoFS Support Automount SchemasAutoFS Patch Requirement AutoFS Support Schema New Automount Schema An Example NisObject Automount Schema Limitations Obsolete Automount SchemaRemoving The Obsolete Automount Schema Attribute Mappings New Automount Attribute NisObject Automount Attribute Mappings Environment Variables AutoFS Migration ScriptsMigration Scripts Description General Syntax For Migration Scripts Examples Syntax Migrateautomount.pl Script AutoFS Support Following shows the /tmp/autoindirect.ldif ﬁle Migratenisautomount.pl Script Following shows the nispautomap.ldif ﬁle Migratenispautofs.pl Script Verify the LDAP-UX Client Services Verify the LDAP-UX Client Services Making sure the output is as expected Verify the LDAP-UX Client Services #cat /etc/nsswitch.conf Conﬁgure Subsequent Client Systems Conﬁgure Subsequent Client Systems Change the current conﬁguration Download the Proﬁle Periodically Download the Proﬁle Periodically Crontab crontab.profile #passwordas = Use r-command for PamldapUse r-command for Pamldap Password, and turning on the rcommand option for pamldap Use r-command for Pamldap Chapter Ldap Printer Conﬁgurator Overview OverviewDeﬁnitions System How the Ldap Printer Conﬁgurator works How the Ldap Printer Conﬁgurator works System administrator manually adds or removes printers to Printer Conﬁgurator Architecture Printer Conﬁguration Parameters Printer Conﬁguration Parameters An Example Printer SchemaPrinter Schema Printer Schema Example Managing the LP printer conﬁgurationManaging the LP printer conﬁguration Managing the LP printer conﬁguration Managing the LP printer conﬁguration Limitations of Printer Conﬁgurator Limitations of Printer Conﬁgurator Limitations of Printer Conﬁgurator Chapter Administering LDAP-UX Client Overview Using The LDAP-UX Client DaemonUsing The LDAP-UX Client Daemon Starting the client LdapclientdControlling the client Client Daemon performance Diagnostics Command options Conﬁguration ﬁle syntax Missing settingsLdapclientd.conf Opt/ldapux/conﬁg/setup Using The LDAP-UX Client Daemon 100 Chapter 101 102 Chapter 103 Conﬁguration File Features and Limitations Integrating with Trusted ModeIntegrating with Trusted Mode Auditing Password and Account Policies Chapter 107 PAM Conﬁguration FileOthers Conﬁguration Parameter Policy And Access Rules Pamauthz Login Authorization EnhancementPamauthz Login Authorization Enhancement Chapter 109 Pamauthz Environment How Login Authorization Works Chapter 111 Policy File Fields in an Access Rule Constructing an Access Rule in pamauthz.policyField Syntax in an Access Rule Actiontyperule Chapter 113 Action No value is required Chapter 115 116 Chapter 117 Policy Validator An Example of /etc/opt/ldapux/pamauthz.policy File Adding a Directory ReplicaAdding a Directory Replica Chapter 119 Displaying the Proxy User’s DNDisplaying the Proxy User’s DN Creating a New Proxy User Verifying the Proxy UserExample Verifying the Proxy User Creating a New Proﬁle Displaying the Current ProﬁleDisplaying the Current Proﬁle Chapter 121 Modifying a Proﬁle Changing Which Proﬁle a Client Is UsingModifying a Proﬁle Access Changing from Anonymous Access to ProxyChanging from Proxy Access to Anonymous Access Changing from Anonymous Access to Proxy Access Changing from Proxy Access to Anonymous Access Minimizing Enumeration Requests Performance ConsiderationsPerformance Considerations Chapter 125 Client Daemon Performance Client Daemon PerformanceLdapclientd Caching Chapter 127 Map Name Beneﬁts Example Side-Effect 128 Chapter 129 Ldapclientd Persistent Connections Troubleshooting TroubleshootingEnabling and Disabling LDAP-UX Logging Chapter 131 TIP Enabling and Disabling PAM Logging Chapter 133 Netscape Directory Server Log FilesUser Cannot Log on to Client System 134 Chapter 135 You should get output like the following 136 Chapter 137 Command and Tool Reference LDAP-UX Client Services Components Description LDAP-UX Client Services ComponentsLDAP-UX Client Services Components Chapter 139 LDAP-UX Client Services ComponentsComponent Description PA machine Files Description LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i Chapter 141 LDAP-UX Client Services Libraries on the HP-UX 11i v2 PAMachine Files Description LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA Createproﬁleentry Tool Client Management ToolsCreateproﬁlecache Tool Client Management Tools Displayproﬁlecache Tool Createproﬁleschema Tool Chapter 145 Getproﬁleentry Tool Getprofileentry -s NSS Ldapproxyconﬁg Tool Chapter 147 File 148 Chapter 149 Beq Search Tool Beq Search ToolSyntax Chapter 151 Examples 152 Chapter 153 Uid2dn Tool Ldap Directory Tools Ldap Directory ToolsGetattrmap.pl Tool Chapter 155 Ldapentry 156 Chapter 157 Ldapsearch Ldapmodify Ldapdelete Certutil Chapter 159 Adding One or More UsersAdding One or More Users Name Service Migration Scripts Name Service Migration ScriptsDefault Naming Context Naming Context Chapter 161 Migrating All Your FilesMigrating Individual Files Migration Scripts Script Name Description General Syntax for Perl Migration ScriptsMigration Scripts Chapter 163 Script Name Description 164 Chapter 165 Ldappasswd Command Ldappasswd Command Chapter 167 168 Chapter 169 To Change Passwords Cannot Change Passwords on Replica Servers To Change Passwords Chapter 171 172 Chapter 173 To Change Personal InformationTo Change Personal Information 174 Chapter 175 Mozilla Ldap C SDK 176 Mozilla Ldap C SDK File Components Mozilla Ldap C SDK File ComponentsMozilla Ldap C SDK File Components on the PA machine Files Description Mozilla Ldap C SDK File Components on the IA machine Chapter 179 Header Files Description Mozilla Ldap C SDK API Header Files Chapter 181 182 Appendix a 183 Table A-1 LDAP-UX Client Services Conﬁguration Worksheet Appendix a Appendix a 185 186 Appendix B 187 Classes Appendix B Proﬁle AttributesProﬁle Attributes Appendix B 189 190 Appendix C 191 ﬁle Appendix C Sample /etc/pam.ldap.trusted ﬁle Appendix C 193 194 Glossary PAM Authorization Service ModuleLdap Data Interchange Format Ldif Glossary 195 Glossary Slapd Index Symbols NIS, 2, 12, 15 Pwget, 4, 69 200