Plan Your Installation | HP UX LDAP-UX Integration Software manual

Installing And Conﬁguring LDAP-UX Client Services

Plan Your Installation

•How will you increase the security level of the product to prevent an unwanted user from logging in to the system via LDAP? What is the procedure to set up increased login security?

The default is to allow all users stored in the LDAP directory to login. To disallow speciﬁc users to login to a local system, you will have to conﬁgure the disable_uid_range ﬂag in /etc/opt/ldapux/ldapux_client.conf ﬁle. There are two sections in this ﬁle, the [proﬁle] section and the [NSS] section. HP recommends that you do not edit the [proﬁle] section. The [NSS] section contains the disable_uid_range ﬂag along with two logging ﬂags. For example, the ﬂag might look like this: disable_uid_range=0-100, 300-450, 89.

Another common example would be to disable root access This ﬂag would look like this: disable_uid_range=0.

When the disable_uid_range is turned on, the disabled uid will not be displayed when you run commands such as pwget, listusers, logins, etc.

NOTE	The passwd command may still allow you to change a password for a
	disabled user when alternative authentication methods, such as
	PAM Kerberos, are used since LDAP does not control these
	subsystems.

•What PAM authentication will you use? How will you set up /etc/pam.conf? What other authentication do you want to use & in what order?

PAM is the Pluggable Authentication Module, providing authentication services. You can conﬁgure PAM to use ldap, Kerberos, or other traditional UNIX locations (for example ﬁles, NIS, NIS+) as controlled by NSS. See pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for more information on PAM.

It is recommended you use HP-UX ﬁle-based authentication ﬁrst, followed by LDAP or other authentication. /etc/pam.ldap is an example of this conﬁguration. With this conﬁguration, PAM uses traditional authentication ﬁrst, searching /etc/passwd when any user logs in, then attempts to authenticate to the directory if the user is

16

Chapter 2

Image 30

HP UX LDAP-UX Integration Software manual Plan Your Installation

Contents

Edition Manufacturing Part Number J4269-90071 E0207 Legal Notices Contents Administering LDAP-UX Client Services Command and Tool Reference User Tasks Tables Viii Figures Figures Intended Audience New and Changed Documentation in This Edition Publishing History What’s in This document Xiii Typographical Conventions HP Encourages Your Comments Overview of LDAP-UX Client Services Chapter Overview of LDAP-UX Client Services Simpliﬁed NIS Environment Simpliﬁed LDAP-UX Client Services Environment How LDAP-UX Client Services WorksTrafﬁc from replica updates Introduction Examples of Commands and Subsystems Commands that use Commands that use PAMThat use PAM and NSS Login, ftpd Ls, who Overview of LDAP-UX Client Services Local Start-up File and the Conﬁguration Proﬁle Overview of LDAP-UX Client Services Chapter LDAP-UX Client Services Before You Begin Summary of Installing and Conﬁguring Summary of Installing and Conﬁguring Optionally modify the /etc/opt/ldapux/pamauthz.policy Plan Your Installation Plan Your Installation Still log in to the system Share user names and passwords with other applications, Example Directory Structure Plan Your Installation Plan Your Installation Section must be set to yes. If the start option is enabled, Plan Your Installation Install LDAP-UX Client Services on a Client Install LDAP-UX Client Services on a Client Conﬁgure Your Directory Conﬁgure Your DirectoryStep Conﬁgure Your Directory Grant read access of all attributes of the posix schema Conﬁgure Your Directory Import Name Service Data into Your Directory Import Name Service Data into Your Directory Steps to Importing Name Service Data into Your Directory Conﬁgure the LDAP-UX Client Services Conﬁgure the LDAP-UX Client Services Conﬁgure the LDAP-UX Client Services Quick Conﬁguration Required to start the services Simple Sasl DIGEST-MD5 Conﬁguration Parameter Default Values Conﬁgure the LDAP-UX Client Services Custom Conﬁguration Specify up to three directory hosts, to be searched in order Specify the service you want to map? Specify the attribute you want to map You type 0 to exit this menu for the following question Answer Y instead of the default N For the question You want to create a custom search descriptor for Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁguring the LDAP-UX Client to Use SSL Steps to Download the CA Certiﬁcate from Mozilla Browser Mail users, and Trust the CA to identify software developers Steps to create database ﬁles using the certutil utility Use the rm command to remove the old database ﬁles Conﬁgure the LDAP-UX Client Serivces with SSL Support Conﬁgure LDAP-UX Client Services with Publickey Support Conﬁgure LDAP-UX Client Services with Publickey Support Enhanced Publickey-LDAP Software for HP-UX 11i v1 or JuneOctober Extending the Publickey Schema into Your Directory Admin Proxy UserConﬁguring an Admin Proxy User Using ldapproxyconﬁg Setting ACI for an Admin Proxy User Setting ACI for Key ManagementPassword for an Admin Proxy User An Example Conﬁguring serviceAuthenticationMethod Setting ACI for a User Authentication Methods Procedures Used to Conﬁgure serviceAuthenticationMethod ServiceAuthenticationMethodkeyservsasl/digest-md5 Conﬁguring Name Service Switch Conﬁgure LDAP-UX Client Services with Publickey Support AutoFS Patch Requirement Automount SchemasAutoFS Support AutoFS Support New Automount Schema Schema An Example NisObject Automount Schema Obsolete Automount Schema Removing The Obsolete Automount SchemaLimitations Attribute Mappings Attribute Mappings New Automount Attribute NisObject Automount AutoFS Migration Scripts Migration Scripts DescriptionEnvironment Variables Examples General Syntax For Migration Scripts Migrateautomount.pl Script Syntax AutoFS Support Migratenisautomount.pl Script Following shows the /tmp/autoindirect.ldif ﬁle Migratenispautofs.pl Script Following shows the nispautomap.ldif ﬁle Verify the LDAP-UX Client Services Verify the LDAP-UX Client Services Making sure the output is as expected Verify the LDAP-UX Client Services #cat /etc/nsswitch.conf Conﬁgure Subsequent Client Systems Conﬁgure Subsequent Client Systems Change the current conﬁguration Download the Proﬁle Periodically Download the Proﬁle Periodically Crontab crontab.profile Use r-command for Pamldap Use r-command for Pamldap#passwordas = Password, and turning on the rcommand option for pamldap Use r-command for Pamldap Chapter Ldap Printer Conﬁgurator Overview DeﬁnitionsOverview System How the Ldap Printer Conﬁgurator works How the Ldap Printer Conﬁgurator works System administrator manually adds or removes printers to Printer Conﬁgurator Architecture Printer Conﬁguration Parameters Printer Conﬁguration Parameters Printer Schema Printer SchemaAn Example Printer Schema Managing the LP printer conﬁguration Managing the LP printer conﬁgurationExample Managing the LP printer conﬁguration Managing the LP printer conﬁguration Limitations of Printer Conﬁgurator Limitations of Printer Conﬁgurator Limitations of Printer Conﬁgurator Chapter Administering LDAP-UX Client Using The LDAP-UX Client Daemon Using The LDAP-UX Client DaemonOverview Controlling the client LdapclientdStarting the client Client Daemon performance Command options Diagnostics Missing settings Ldapclientd.confConﬁguration ﬁle syntax Opt/ldapux/conﬁg/setup Using The LDAP-UX Client Daemon 100 Chapter 101 102 Chapter 103 Conﬁguration File Integrating with Trusted Mode Integrating with Trusted ModeFeatures and Limitations Auditing Password and Account Policies PAM Conﬁguration File OthersChapter 107 Conﬁguration Parameter Pamauthz Login Authorization Enhancement Pamauthz Login Authorization EnhancementPolicy And Access Rules Chapter 109 How Login Authorization Works Pamauthz Environment Policy File Chapter 111 Field Syntax in an Access Rule Constructing an Access Rule in pamauthz.policyFields in an Access Rule Actiontyperule Chapter 113 No value is required Action Chapter 115 116 Policy Validator Chapter 117 Adding a Directory Replica Adding a Directory ReplicaAn Example of /etc/opt/ldapux/pamauthz.policy File Displaying the Proxy User’s DN Displaying the Proxy User’s DNChapter 119 Example Verifying the Proxy UserCreating a New Proxy User Verifying the Proxy User Displaying the Current Proﬁle Displaying the Current ProﬁleCreating a New Proﬁle Chapter 121 Changing Which Proﬁle a Client Is Using Modifying a ProﬁleModifying a Proﬁle Changing from Proxy Access to Anonymous Access Changing from Anonymous Access to ProxyAccess Changing from Anonymous Access to Proxy Access Changing from Proxy Access to Anonymous Access Performance Considerations Performance ConsiderationsMinimizing Enumeration Requests Chapter 125 Client Daemon Performance Ldapclientd CachingClient Daemon Performance Map Name Beneﬁts Example Side-Effect Chapter 127 128 Chapter 129 Ldapclientd Persistent Connections Enabling and Disabling LDAP-UX Logging TroubleshootingTroubleshooting Chapter 131 Enabling and Disabling PAM Logging TIP Netscape Directory Server Log Files User Cannot Log on to Client SystemChapter 133 134 You should get output like the following Chapter 135 136 Command and Tool Reference Chapter 137 LDAP-UX Client Services Components LDAP-UX Client Services ComponentsLDAP-UX Client Services Components Description LDAP-UX Client Services Components Component DescriptionChapter 139 LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i PA machine Files Description LDAP-UX Client Services Libraries on the HP-UX 11i v2 PA Machine Files DescriptionChapter 141 LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA Createproﬁlecache Tool Client Management ToolsCreateproﬁleentry Tool Client Management Tools Createproﬁleschema Tool Displayproﬁlecache Tool Getproﬁleentry Tool Chapter 145 Ldapproxyconﬁg Tool Getprofileentry -s NSS File Chapter 147 148 Chapter 149 Beq Search Tool SyntaxBeq Search Tool Examples Chapter 151 152 Uid2dn Tool Chapter 153 Ldap Directory Tools Getattrmap.pl ToolLdap Directory Tools Ldapentry Chapter 155 156 Ldapsearch Chapter 157 Ldapmodify Ldapdelete Certutil Adding One or More Users Adding One or More UsersChapter 159 Default Naming Context Name Service Migration ScriptsName Service Migration Scripts Naming Context Migrating All Your Files Migrating Individual FilesChapter 161 General Syntax for Perl Migration Scripts Migration ScriptsMigration Scripts Script Name Description Script Name Description Chapter 163 164 Chapter 165 Ldappasswd Command Ldappasswd Command Chapter 167 168 To Change Passwords Chapter 169 To Change Passwords Cannot Change Passwords on Replica Servers Chapter 171 172 To Change Personal Information To Change Personal InformationChapter 173 174 Mozilla Ldap C SDK Chapter 175 176 Mozilla Ldap C SDK File Components on the PA machine Mozilla Ldap C SDK File ComponentsMozilla Ldap C SDK File Components Files Description Mozilla Ldap C SDK File Components on the IA machine Chapter 179 Mozilla Ldap C SDK API Header Files Header Files Description Chapter 181 182 Table A-1 LDAP-UX Client Services Conﬁguration Worksheet Appendix a 183 Appendix a Appendix a 185 186 Classes Appendix B 187 Proﬁle Attributes Proﬁle AttributesAppendix B Appendix B 189 190 ﬁle Appendix C 191 Sample /etc/pam.ldap.trusted ﬁle Appendix C Appendix C 193 194 Ldap Data Interchange Format Ldif PAM Authorization Service ModuleGlossary Glossary 195 Slapd Glossary Symbols Index NIS, 2, 12, 15 Pwget, 4, 69 200