HP UX LDAP-UX Integration Software Migration

Migration

If you choose the LDAP approach to integrate HP-UX account management and authentication with Windows 2000, the LDAP-UX Client Services product provides a set of migration tools to help you migrate your user and group information from the local /etc/passwd and group files or NIS server to Active Directory. The tools create an ldif file based on the information you enter interactively or the environment variables you set in advance. All posix data except password will be migrated. There is a technical difficulity to convert unix-encrypted password to the format of password Windows 2000 KDC expects. As a result, all user and group entries are migrated without a password. For security reasons, all user accounts are disabled when they are imported into Active Directory. Before a user can log into a Windows 2000 PC or a HP-UX machine, the Windows 2000 administrator will have to enable the account and set password first.

The migration tools can be found in /opt/ldapux/migrate/ads. Refer to Installing and Administering LDAP-UX with Microsoft Windows 2000 Active Directory for detailed information.

23

Contents

White Paper Legal Notices Introduction HP-UXand Windows 2000 Integration Products PAM: NSS: Windows Active Directory (AD): Kerberos Services: Page How HP-UXand Windows 2000 Products Integrate NIS+PAM_Kerberos: HP-UXclient Windows 2000 server LDAP Integration: Windows 2000 as LDAP server + HP-UXas LDAP Client + HP-UXPAM_Kerberos LDAP: LDAP + PAM_Kerberos: NIS vs. LDAP Integration: Benefits of Integration Configuring Windows 2000 and HP-UXUsing NIS Integration Step 1: Install Active Directory into your Windows 2000 server Step 2: Add an account for HP-UXclient machine to AD Step 3: Use ktpass to create the keytab file for HP-UXclient machine Step 4: Install SFU 2.0, including Server for NIS Step 1: Configure HP-UXas a NIS client Step 2: Change Name Service Switch (NSS) to use NIS Step 3: Start HP-UXas a NIS client Step 1: Download and install the PAM Kerberos product Step 2: Configure your HP-UXmachine to authenticate using PAM Kerberos Step 3: Change /etc/pam.conf to use PAM Kerberos Page Configuring Windows 2000 and HP-UXUsing LDAP Integration Step 2: Install Active Directory administrative tools Step 3: Install SFU 2.0 to extend the posix schema into AD Step 1: Add a proxy user to AD Step 1: Install the LDAP-UXClient Services product into your HP-UXmachine Step 2: Configure your HP-UXmachine to use AD as the directory server Step 3: Configure a proxy user Step 4: Change Name Service Switch (NSS) to use LDAP Security Administration Manage account and password policies Known problems and limitations Slow performance on object enumeration Password expiration End user Login procedure Password change Shell/finger information change Migration Appendix A: Setting a Proxy User’s Access Rights