HP HP-UX LDAP-UX Integration Administrator's Guide

LDAP-UX Client Services B.04.00

Administrator’s Guide

HP-UX 11i v1, v2 and v3

Edition 5

Manufacturing Part Number : J4269-90071

E0207

Legal Notices

The information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and ﬁtness for a particular purpose. Hewlett-Packard

shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Warranty

A copy of the speciﬁc warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Ofﬁce.

U.S. Government License

Proprietary computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright  2006 Hewlett-Packard Company L.P. All rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws.

Trademark Notices

UNIX is a registered trademark in the United States and other countries, licensed exclusively throughThe Open Group. NIS is a trademark of Sun Microsystems, Inc. Netscape and Netscape Directory Server are registered trademarks of Netscape Communications Corporation in the United States and other countries. Other product and brand names are trademarks of their respective owners.

Contents

1. Introduction

Overview of LDAP-UX Client Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

How LDAP-UX Client Services Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2. Installing And Conﬁguring LDAP-UX Client Services

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Summary of Installing and Conﬁguring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Plan Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Install LDAP-UX Client Services on a Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Conﬁgure Your Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Import Name Service Data into Your Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Steps to Importing Name Service Data into Your Directory . . . . . . . . . . . . . . . . . . . 26

Conﬁgure the LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Quick Conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Custom Conﬁguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Conﬁgure the LDAP-UX Client Serivces with SSL Support . . . . . . . . . . . . . . . . . . . . 41

Conﬁguring the LDAP-UX Client to Use SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Conﬁgure LDAP-UX Client Services with Publickey Support . . . . . . . . . . . . . . . . . . . 46

HP-UX Enhanced Publickey-LDAP Software Requirement on HP-UX 11i v1 or v2 46

Extending the Publickey Schema into Your Directory . . . . . . . . . . . . . . . . . . . . . . . 48

Admin Proxy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Setting ACI for Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Conﬁguring serviceAuthenticationMethod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Conﬁguring Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

AutoFS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

AutoFS Patch Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Automount Schemas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Conﬁguring Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

AutoFS Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Verify the LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Conﬁgure Subsequent Client Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Download the Proﬁle Periodically. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Use r-command for PAM_LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

3. LDAP Printer Conﬁgurator Support

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

iii

Contents

How the LDAP Printer Conﬁgurator works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Printer Conﬁguration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Printer Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

An Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Managing the LP printer conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Limitations of Printer Conﬁgurator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

4. Administering LDAP-UX Client Services

Using The LDAP-UX Client Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

ldapclientd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

ldapclientd.conf. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Integrating with Trusted Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Features and Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Conﬁguration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

PAM_AUTHZ Login Authorization Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Policy And Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

How Login Authorization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Constructing an Access Rule in pam_authz.policy . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Policy Validator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Adding a Directory Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Displaying the Proxy User’s DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Verifying the Proxy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Creating a New Proxy User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Displaying the Current Proﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Creating a New Proﬁle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Modifying a Proﬁle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Changing Which Proﬁle a Client Is Using . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Changing from Anonymous Access to Proxy Access . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Changing from Proxy Access to Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Minimizing Enumeration Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Client Daemon Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

ldapclientd Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

ldapclientd Persistent Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Enabling and Disabling LDAP-UX Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Enabling and Disabling PAM Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Netscape Directory Server Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

User Cannot Log on to Client System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

5. Command and Tool Reference

The LDAP-UX Client Services Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Client Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

The create_proﬁle_entry Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

The create_proﬁle_cache Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

The create_proﬁle_schema Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

The display_proﬁle_cache Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

The get_proﬁle_entry Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

The ldap_proxy_conﬁg Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

beq Search Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

The uid2dn Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

The get_attr_map.pl Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

LDAP Directory Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

ldapentry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

ldapsearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

ldapmodify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

ldapdelete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

certutil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Adding One or More Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Name Service Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Naming Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Migrating All Your Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Migrating Individual Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

The ldappasswd Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Contents

6. User Tasks

To Change Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

To Change Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

7. Mozilla LDAP C SDK

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

The Mozilla LDAP C SDK File Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

A. Conﬁguration Worksheet

B. LDAP-UX Client Services Object Classes

Proﬁle Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

C. Sample /etc/pam.ldap.trusted ﬁle

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Tables

Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Table 1-1. Examples of Commands and Subsystems that use PAM and NSS . . . . . . 4

Table 2-1. Conﬁguration Parameter Default Values . . . . . . . . . . . . . . . . . . . . . . . . . 32

Table 2-2. Enhanced Publickey-LDAP Software for HP-UX 11i v1 or v2 . . . . . . . . . 47

Table 2-3. Patch Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Table 2-4. Attribute Mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Table 2-5. Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table 4-1. Field Syntax in an Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Table 4-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Table 5-1. LDAP-UX Client Services Components. . . . . . . . . . . . . . . . . . . . . . . . . . 138

Table 5-2. LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i v1 PA

machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Table 5-3. LDAP-UX Client Services Libraries on the HP-UX 11i v2 PA machine 141 Table 5-4. LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA machine. 142

Table 5-5. Default Naming Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Table 5-6. Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Table 7-1. Mozilla LDAP C SDK File Components on the PA machine . . . . . . . . . 177

Table 7-2. Mozilla LDAP C SDK File Components on the IA machine. . . . . . . . . . 178

Table 7-3. Mozilla LDAP C SDK API Header Files . . . . . . . . . . . . . . . . . . . . . . . . . 180

Table A-1. LDAP-UX Client Services Conﬁguration Worksheet . . . . . . . . . . . . . . . 183

Table A-2. LDAP-UX Client Services Conﬁguration Worksheet Explanation . . . . 184

vii

Tables

viii

Figures

Figure 1-1. A Simpliﬁed NIS Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Figure 1-2. A Simpliﬁed LDAP-UX Client Services Environment . . . . . . . . . . . . . . . 3

Figure 1-3. A Simpliﬁed LDAP-UX Client Services Environment . . . . . . . . . . . . . . . 5

Figure 1-4. The Local Start-up File and the Conﬁguration Proﬁle . . . . . . . . . . . . . . . 7

Figure 2-1. Example Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 3-1. Printer Conﬁgurator Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Figure 4-1. PAM_AUTHZ Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 6-1. Cannot Change Passwords on Replica Servers . . . . . . . . . . . . . . . . . . . 170

Figure 6-2. Changing Passwords on Master Server with ldappasswd . . . . . . . . . . 171

Figure 6-3. Sample passwd Command Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Figures

Preface: About This Document

The latest version of this document can be found on line at:

http://www.docs.hp.com

This document describes how to install and conﬁgure LDAP-UX Client Services product on HP-UX platforms.

The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.

Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, you should subscribe to the appropriate product support service. See your HP sales representative for details.

Intended Audience

This document is intended for system and network administrators responsible for installing, conﬁguring, and managing the LDAP-UX Client Services. Administrators are expected to have knowledge of the LDAP-UX Client Services Integration product.

New and Changed Documentation in This Edition

This edition documents the following new information for the LDAP-UX Client Services version B.04.00:

• Support the automount service under the AutoFS subsystem. This new feature allows you to store and manage the automount maps in the LDAP directory server.

• Support discovery and and management of publickeys in an LDAP directory.

• Provide the pam_authz login authorization enhancements. This new feature allows you to deﬁne access rules in the local policy ﬁle, /etc/opt/ldapux/pam_authz.policy.

• Support NIS+ migration scripts that can be used to migrate from an NIS+ domain into an LDAP directory server.

• Support Mozilla LDAP C SDK 5.14.1 which contains a set of LDAP Application Programming Interfaces (API) to allow you to build LDAP-enabled clients.

Publishing History

Table 1 Publishing History Details

Document

Manufacturing

Part Number

J4269-90016 11.0, 11i B.03.00 September

J4269-90030 11.0, 11i v1

J4269-90038 11.0, 11i v1 B.03.30 July 2004

J4269-90040 11.0, 11i v1

J4269-90048 11i v1 and v2 B.04.00 July 2005

J4269-90051 11i v1 and v2 B.04.00 August 2005

J4269-90053 11i v1 and v2 B.04.00 June 2006

J4269-90071 11i v1, v2 andv3B.04.00 February

Operating

Systems

Supported

and v2

Supported

Product

Versions

B.03.20 October

B.03.30 September

Publicatio

n Date

2002

2003

2004

2007

What’s in This document

xii

This manual describes how to install, conﬁgure and administer the LDAP-UX Client Services software product.

The manual is organized as follows: Chapter 1 Introduction Use this chapter to learn the LDAP-UX

Client Services product features, components and client administration tools.

Chapter 2 Installing And Conﬁguring LDAP-UX Client

Services Use this chapter to learn how to install, conﬁgure, and use the LDAP-UX Client Services software.

Chapter 3 LDAP Printer Conﬁgurator Support Use this

chapter to learn how to set up, conﬁgure, and use the printer conﬁgurator.

Chapter 4 Administering LDAP-UX Client Services Use this

chapter to understand how to administer your LDAP-UX Clients to keep them running smoothly and expand them as your computing environment expands.

Chapter 5 Command and Tool Reference Use this chapter to

learn about the commands and tools associated with the LDAP-UX Client Services product.

Chapter 6 User Tasks Use this chapter to learn how to change

passwords and personal information.

Chapter 7 Mozilla LDAP C SDK Use this chapter to learn the

Mozilla LDAP SDK software features and its major ﬁle components.

xiii

Typographical Conventions

This document uses the following conventions. Book Title The title of a book. On the web and on the Instant

Information CD, it may be a hot link to the book itself.

Emphasis Text that is emphasized.

Bold Text that is strongly emphasized. Bold The deﬁned use of an important word or phrase.

ComputerOut Text displayed by the computer.

UserInput Commands and other text that you type.

Command A command name or qualiﬁed command phrase.

Variable

[] The contents are optional in formats and command

{} The contents are required in formats and command

\ The continuous line symbol.

The name of a variable that you may replace in a command or function or information in a display that represents several possible values.

descriptions. If the contents are a list separated by |, you must choose one of the items.

HP Encourages Your Comments

HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs.

Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any

comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.

xiv

1 Introduction

LDAP-UX Client Services simpliﬁes HP-UX system administration by consolidating account and conﬁguration information into a central LDAP directory. This LDAP directory could reside on an HP-UX system such as Netscape Directory Server 6.x, or the account information could be integrated in Windows 2000/2003 Active Directory.

Information provided in this manual outlines the installation and administration tasks of LDAP-UX Client Services with HP-UX based LDAP directories such as Netscape Directory Server 6.x.

For information on the integration of LDAP-UX Client Services with Windows 2000/2003 Active Directory, see LDAP-UX with Microsoft

Windows 2000/2003 Active Directory Administrator’s Guide (J4269-90041) at http://docs.hp.com/hpux/internet.

This chapter introduces LDAP-UX Client Services and brieﬂy describes how it works.

Overview of LDAP-UX Client Services

Traditionally, HP-UX account and conﬁguration information is stored in text ﬁles, for example, /etc/passwd and /etc/group. NIS was developed to ease system administration by sharing this information across systems

Chapter 1 1

Introduction

Overview of LDAP-UX Client Services

on the network. With NIS, account and conﬁguration information resides on NIS servers. NIS client systems retrieve this shared conﬁguration information across the network from NIS servers, as shown below:

Figure 1-1 A Simpliﬁed NIS Environment

NIS master server

Map transfers

NIS slave server

NIS Requests

NIS client

LDAP-UX Client Services improves on this conﬁguration information sharing. HP-UX account and conﬁguration information is stored in an LDAP directory, not on the local client system. Client systems retrieve this shared conﬁguration information across the network from the LDAP

NIS slave server

NIS clientNIS client

Chapter 12

Overview of LDAP-UX Client Services

directory, as shown below. LDAP adds greater scalability, interoperability with other applications and platforms, and less network trafﬁc from replica updates.

Figure 1-2 A Simpliﬁed LDAP-UX Client Services Environment

Introduction

LDAP Directory Server

LDAP-UX client

LDAP-UX Client Services supports the following name service data: passwd, groups, hosts, rpc, services, networks, protocols, publickeys, automount, netgroup. See the LDAP-UX Integration B.04.00 Release Notes for any additional supported services.

Updates

LDAP Requests

LDAP Directory Server Replica

LDAP-UX client

How LDAP-UX Client Services Works

LDAP-UX Client Services works by leveraging the authentication mechanism provided in the Pluggable Authentication Module, or PAM, and the naming services provided by the Name Service Switch, or NSS. See pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for information on PAM. For information on NSS, see switch(4) and “Conﬁguring the Name Service Switch” in Installing and Administering NFS Services at http://docs.hp.com/hpux/communications/#NFS.

These extensible mechanisms allow new authentication methods and new name services to be installed and used without changing the underlying HP-UX commands. And, by supporting the PAM architecture, the HP-UX client becomes truly integrated in the LDAP environment. The PAM_LDAP library allows the HP-UX system to use the LDAP directory as a trusted server for authentication. This means that

Chapter 1 3

Introduction

Overview of LDAP-UX Client Services

passwords may not only be stored in any syntax but also means that passwords may remain hidden from view (preventing a decryption attack on the hashed passwords). Because passwords may be stored in any syntax, HP-UX will be able to share passwords with other LDAP-enabled applications.

With LDAP-UX Client Services B.03.20 or later versions, the client daemon, ldapclientd, becomes the center of the product. It supports all NSS backend services for LDAP and data enumeration. It also supports PAM_LDAP for authentication and password change.

With LDAP-UX Client Services, HP-UX commands and subsystems can transparently access name service information from the LDAP directory through ldapclientd. The following table shows some examples of commands and subsystems that use PAM and NSS:

Table 1-1 Examples of Commands and Subsystems

that use PAM and NSS

Commands that use

Commands that use PAM and

NSS

ls login

nsquery

passwd

who ftp

whoami su

ﬁnger

rlogin

id telnet

logname dtlogin

groups

newgrp

pwget

grget

listusers

remsh

NSS

Chapter 14

Introduction

Overview of LDAP-UX Client Services

Table 1-1 Examples of Commands and Subsystems

that use PAM and NSS (Continued)

Commands that use

NSS

logins

Commands that use PAM and

NSS

nslookup

a. nsquery(1) is a contributed tool included with the

ONC/NFS product.

b. These commands enumerate the entire passwd or

group database, which may reduce network and directory server performance for large databases.

Figure 1-3 A Simpliﬁed LDAP-UX Client Services Environment

LDAP Directory Server

LDAP requests

LDAP C SDK

PAM

ldapclientd

NSS

ls, who, etc.

LDAP-UX client

In addition, the getpwent(3C) and getgrent(3C) family of system calls get user and group information from the directory.

Chapter 1 5

Introduction

Overview of LDAP-UX Client Services

After you install and conﬁgure an LDAP directory and migrate your name service data into it, HP-UX client systems locate the directory from a “start-up ﬁle.” The start-up ﬁle tells the client system how to download a “conﬁguration proﬁle” from the LDAP directory. The conﬁguration proﬁle is a directory entry containing conﬁguration information common to many clients. Storing it in the directory lets you maintain it in one place and share it among many clients rather than storing it redundantly across the clients. Because the conﬁguration information is stored in the directory, all each client needs to know is where its proﬁle is, hence the start-up ﬁle. Each client downloads the conﬁguration proﬁle from the directory.

The proﬁle is an entry in the directory containing details on how clients are to access the directory, such as:

• where and how clients should search the directory for user, group and other name service information.

• how clients should bind to the directory: anonymously or as a proxy user. Anonymous access is simplest. Conﬁguring a proxy user adds some security, but at the same time it adds the overhead of managing the proxy user.

• other conﬁguration parameters such as search time limits.

Chapter 16

Overview of LDAP-UX Client Services

Figure 1-4 The Local Start-up File and the Conﬁguration Proﬁle

LDAP Directory

Introduction

The start-up ﬁle points to the conﬁguration proﬁle in the directory.

The following chapter describes in detail how to install, conﬁgure, and verify LDAP-UX Client Services.

Conﬁguration proﬁle

Start-up ﬁle

LDAP-UX client

The shared conﬁguration proﬁle is stored in the directory and downloaded to all LDAP-UX clients.

Conﬁguration proﬁle

Chapter 1 7

Introduction

Overview of LDAP-UX Client Services

Chapter 18

2 Installing And Conﬁguring

LDAP-UX Client Services

This chapter describes the decisions you need to make and the steps to install Netscape and conﬁgure LDAP-UX Client Services. This chapter contains the following sections:

• “Before You Begin” on page 9.

• “Summary of Installing and Conﬁguring” on page 10.

• “Plan Your Installation” on page 12.

• “Install LDAP-UX Client Services on a Client” on page 20.

• “Conﬁgure Your Directory” on page 21.

• “Import Name Service Data into Your Directory” on page 25.

• “Conﬁgure the LDAP-UX Client Services” on page 27.

• “Conﬁgure the LDAP-UX Client Serivces with SSL Support” on page 41.

• “Conﬁgure LDAP-UX Client Services with Publickey Support” on page 46.

• “AutoFS Support” on page 55.

• “Verify the LDAP-UX Client Services” on page 68.

• “Conﬁgure Subsequent Client Systems” on page 72.

• “Download the Proﬁle Periodically” on page 74.

• “Use r-command for PAM_LDAP” on page 76.

Before You Begin

This section lists some things to keep in mind as you plan your installation.

• Use the conﬁguration worksheet to record your decisions and other information you’ll need later for conﬁguration in Appendix A, “Conﬁguration Worksheet,” on page 183.

• See the LDAP-UX Integration B.04.00 Release Notes (J4269-90042) at http://docs.hp.com/hpux/internet for last-minute information.

• You must have an LDAP directory. You can obtain the Netscape Directory Server for HP-UX version 6.x from your local HP sales ofﬁce or www.hp.com and view the documentation at http://docs.hp.com/hpux/internet/#Netscape%20Directory%20Server.

Chapter 2 9

Installing And Conﬁguring LDAP-UX Client Services

Summary of Installing and Conﬁguring

• See the white paper Preparing Your Directory for HP-UX Integration at http://docs.hp.com/hpux/internet for advice on how to set up and conﬁgure your directory to work with HP-UX.

• Most examples here use the Netscape Directory Server for HP-UX version 6.x and assume you have some knowledge of this directory and its tools, such as the Directory Console and ldapsearch. If you have another directory, consult your directory’s documentation for speciﬁc information.

• For details on how to integrate LDAP-UX Client Services with Windows 2000 Active Directory, please refer to LDAP-UX Client

Services with Microsoft Windows 2000/2003 Active Directory Administrator’s Guide (J4269-90041) at

http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration.

• The examples use a base DN of o=hp.com for illustrative purposes.

Summary of Installing and Conﬁguring

The following summarizes the steps you take when installing and conﬁguring an LDAP-UX Client Services environment.

• See “Plan Your Installation” on page 12.

• Install LDAP-UX Client Services on each client system. See “Install LDAP-UX Client Services on a Client” on page 20.

• Install and conﬁgure an LDAP directory, if not already done. See “Conﬁgure Your Directory” on page 21.

• Conﬁgure your LDAP server to support SSL if you attempt to enable SSL support with LDAP-UX.

• Migrate your name service data to the directory. See “Import Name Service Data into Your Directory” on page 25.

• Install and set up the security database ﬁles on the LDAP-UX client system if you want to enable SSL support with LDAP-UX. See “Conﬁgure the LDAP-UX Client Serivces with SSL Support” on page 41.

Chapter 210

Installing And Conﬁguring LDAP-UX Client Services

Summary of Installing and Conﬁguring

• Run the setup program to conﬁgure LDAP-UX Client Services on a client system. Setup does the following for you:

— Extends your Netscape directory schema with the conﬁguration

proﬁle schema, if not already done.

— Imports the LP printer schema into your LDAP directory server

if you choose to start the LDAP printer conﬁgurator.

— Imports the publickey schema into your LDAP directory if you

choose to store the public keys of users and hosts in the LDAP directory.

— Imports the automount schema into your LDAP directory server

if you choose to store the AutoFS maps in the LDAP directory.

— Creates a start-up ﬁle on the client. This enables each client to

download the conﬁguration proﬁle.

— Creates a conﬁguration proﬁle of directory access information in

the directory, to be shared by a group of (or possibly all) clients.

— Downloads the conﬁguration proﬁle from the directory to the

client.

— Start the product daemon, ldapclientd, if you choose to start it.

Starting with LDAP-UX Client B.03.20 or later, the client daemon must be started for LDAP-UX functions to work. With LDAP-UX Client B.03.10 or earlier, running the client daemon is optional.

See “Conﬁgure the LDAP-UX Client Services” on page 27.

• Modify the ﬁles /etc/pam.conf and /etc/nsswitch.conf on the client to specify LDAP authentication and name service, respectively. See “Conﬁgure the LDAP-UX Client Services” on page 27.

• Optionally modify the disable_uid_range ﬂag in the /etc/opt/ldapux/ldapux_client.conf ﬁle to disable logins to the local system from speciﬁc ldap users.

• Optionally modify the /etc/opt/ldapux/pam_authz.policy and /etc/pam.conf ﬁles to verify the user access rights of a subset of users in a large repository needing access, if appropriate. See the pam_authz(5) man page for the command syntax.

• Verify each client is working properly. See “Verify the LDAP-UX Client Services” on page 68.

• See also “Conﬁgure Subsequent Client Systems” on page 72 for some shortcuts.

Chapter 2 11

Installing And Conﬁguring LDAP-UX Client Services

Plan Your Installation

Before beginning your installation, you should plan how you will set up and verify your LDAP directory and your LDAP-UX Client Services environment before putting them into production. Consider the following questions. Record your decisions and other information you’ll need later in Appendix A, “Conﬁguration Worksheet,” on page 183.

• How many LDAP directory servers and replicas will you need? Each client system binds to an LDAP directory server containing

your user, group, and other data. Multiple clients can bind to a single directory server or replica server. The answer depends on your environment, the size and conﬁguration of your directory and how many users and clients you have.Write your directory server host and TCP port number in Appendix A, “Conﬁguration Worksheet,” on page 183. See the white paper Preparing Your Directory for HP-UX Integration at: http://docs.hp.com/hpux/internet for more information.

See the Netscape Directory Server Deployment Guide for more information. You can add directory replicas to an existing LDAP-UX Client Services environment as described under “Adding a Directory Replica” on page 118. You may also want to review the LDAP-UX performance white paper at http://docs.hp.com/hpux/internet.

• Where will you get your name service data from when migrating it to the directory?

You can get it from your ﬁles in the /etc directory or, if you are using NIS, from the same source ﬁles you create your NIS maps from, or you can get it from your NIS maps themselves. Write this information in Appendix A, “Conﬁguration Worksheet,” on page 183.

See “Import Name Service Data into Your Directory” on page 25 for how to import your information into the directory and “Name Service Migration Scripts” on page 160 for details on the migration scripts.

To add an individual user entry or modify an existing user entry in your directory, you can use the ldapmodify command or other directory administration tools such as the Netscape Console. See also the LDAP-UX Integration B.03.20 Release Notes for additional contributed tools.

Chapter 212

Installing And Conﬁguring LDAP-UX Client Services

Plan Your Installation

NOTE You should keep a small subset of users in /etc/passwd, particularly

the root login. This allows administrative users to log in during installation and testing. Also, if the directory is unavailable you can still log in to the system.

• Where in your directory will you put your name service data? Your directory architect needs to decide where in your directory to

place your name service information. LDAP-UX Client Services by default expects user and group data to use the object classes and attributes speciﬁed by RFC 2307. The migration scripts by default create and populate a new subtree that conforms to RFC 2307. Figure 2-1 on page 15 shows a base DN of ou=unix,o=hp.com. Write the base DN of your name service data in Appendix A, “Conﬁguration Worksheet,” on page 183.

If you prefer to merge your name service data into an existing directory structure, you can map the standard RFC 2307 attributes to alternate attributes. See “LDAP-UX Client Services Object Classes” on page 187 for more information.

• How will you put your user, group, and other data into your directory?

LDAP supports group membership deﬁned in the X.500 syntax (using the member or uniquemember attribute), while still supporting the RFC 2307 syntax (using the memberuid attribute). This new group membership syntax increases LDAP-UX integration with LDAP and other LDAP-based applications, and may reduce administration overhead eliminating the need to manage the memberuid attribute. In addition, a new performance improvement has been made through the addition of a new caching daemon which caches passwd, group and X.500 group membership information retrieved from an LDAP server. This signiﬁcantly reduces LDAP-UX’s response time to applications. In addition, the daemon re-uses connections for LDAP queries and maintains multiple connections to an LDAP server to improve performance.

The migration scripts provided with LDAP-UX Client Services can build and populate a new directory subtree for your user and group data.

Chapter 2 13

Installing And Conﬁguring LDAP-UX Client Services

Plan Your Installation

If you merge your data into an existing directory, for example to share user names and passwords with other applications, the migration scripts can create LDIF ﬁles of your user data, but you will have to write your own scripts or use other tools to merge the data into your directory. You can add the posixAccount object class to your users already in the directory to leverage your existing directory data.

CAUTION If you place a root login in the LDAP directory, that user and

password will be able to log in as root to any client using LDAP-UX Client Services. Keeping the root user in /etc/passwd on each client system allows the root user to be managed locally. This can be especially useful if the network is down because it allows local access to the system.

It is not recommended that you put the same users both in /etc/passwd and in the directory. This could lead to conﬂicts and unexpected behavior.

• How many proﬁles do you need? A conﬁguration proﬁle is a directory entry that contains

conﬁguration information shared by a group of clients. The proﬁle contains the information clients need to access user and group data in the directory, for example:

— Your directory server hosts — Where user, group, and other information is in the directory — The method clients use to bind to the directory — Other conﬁguration parameters such as search time limits

If these parameters are the same for all your clients, you would need only one proﬁle. You will need at least one proﬁle per directory server or replica. In general, it is a good idea to have as few proﬁles as necessary to simplify maintenance. Look at the posixNamingProﬁle object class in Appendix B, “LDAP-UX Client Services Object Classes,” on page 187 to see what is in a proﬁle to decide how many different proﬁles you need.

Chapter 214

If you are familiar with NIS, one example is to create a separate proﬁle for each NIS domain.

• Where in your directory will you put your proﬁle? The proﬁle contains directory access information. It speciﬁes how

and where clients can ﬁnd user and group data in the directory. You can put the proﬁle anywhere you want as long as the client systems can read it. For example, you might put it near your user data, or in a separate administrative area. You should put the proﬁle in the same directory as your user and group data to simplify access permissions. Clients must have access to both the proﬁle and the user and group data. The following example shows a conﬁguration proﬁle DN of cn=profile1,ou=profiles,ou=devices,ou=unix,o=hp.com.

Figure 2-1 Example Directory Structure

Installing And Conﬁguring LDAP-UX Client Services

Plan Your Installation

o=hp.com

ou=unix

ou=people ou=groups ou=proﬁles

user data

Write your conﬁguration proﬁle DN on the worksheet in Appendix A, “Conﬁguration Worksheet,” on page 183.

• By what method will client systems bind to the directory? Clients can bind to the directory anonymously. This is the default

and is simplest to administer. If you need to prevent access to your data from anonymous users or your directory does not support anonymous access, you can use a proxy user. If you conﬁgure a proxy user, you can also conﬁgure anonymous access to be attempted in the event the proxy user fails.

Write your client access method and proxy user DN, if needed, on the worksheet in Appendix A, “Conﬁguration Worksheet,” on page 183.

Chapter 2 15

data

proﬁle1group

ou=hosts

host data

Installing And Conﬁguring LDAP-UX Client Services

Plan Your Installation

• How will you increase the security level of the product to prevent an unwanted user from logging in to the system via LDAP? What is the procedure to set up increased login security?

The default is to allow all users stored in the LDAP directory to login. To disallow speciﬁc users to login to a local system, you will have to conﬁgure the disable_uid_range ﬂag in /etc/opt/ldapux/ldapux_client.conf ﬁle. There are two sections in this ﬁle, the [proﬁle] section and the [NSS] section. HP recommends that you do not edit the [proﬁle] section. The [NSS] section contains the disable_uid_range ﬂag along with two logging ﬂags. For example, the ﬂag might look like this: disable_uid_range=0-100, 300-450, 89.

Another common example would be to disable root access This ﬂag would look like this: disable_uid_range=0.

When the disable_uid_range is turned on, the disabled uid will not be displayed when you run commands such as pwget, listusers, logins, etc.

NOTE The passwd command may still allow you to change a password for a

disabled user when alternative authentication methods, such as PAM Kerberos, are used since LDAP does not control these subsystems.

• What PAM authentication will you use? How will you set up /etc/pam.conf? What other authentication do you want to use & in what order?

PAM is the Pluggable Authentication Module, providing authentication services. You can conﬁgure PAM to use ldap, Kerberos, or other traditional UNIX locations (for example ﬁles, NIS, NIS+) as controlled by NSS. See pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for more information on PAM.

It is recommended you use HP-UX ﬁle-based authentication ﬁrst, followed by LDAP or other authentication. /etc/pam.ldap is an example of this conﬁguration. With this conﬁguration, PAM uses traditional authentication ﬁrst, searching /etc/passwd when any user logs in, then attempts to authenticate to the directory if the user is

Chapter 216

+ 184 hidden pages