LDAP-UX Client Services for Active Directory improves on this configuration
information sharing. HP-UX account and configuration information
is stored in Active Directory, not on the local client system. Client
systems retrieve this shared configuration information across the network
from the Active Directory directory,
as shown below. This adds greater scalability, interoperability
with other applications and platforms, and less network traffic
from replica updates.
LDAP-UX Client Services for Microsoft Windows 2000 Active
Directory supports the passwd and group name service data. See the LDAP-UX Client
Services Release Notes for any additional supported
services.
How
LDAP-UX Client Services Works |
 |
LDAP-UX Client Services works by leveraging the authentication mechanism
provided in the Pluggable Authentication Module, or PAM, and
the naming services provided by the Name Service Switch, or NSS. See pam(3), pam.conf(4),
and Managing Systems and Workgroups at http://docs.hp.com/hpux/os
for information on PAM. For information on NSS, see switch(4)
and "Configuring the Name Service Switch" in Installing
and Administering NFS Services at http://docs.hp.com/hpux/communications/#NFS.
These extensible mechanisms allow new authentication methods
and new name services to be installed and used without changing
the underlying HP-UX commands. In particular, to allow integration
of HP-UX account management in Windows 2000, the PAM architecture now
supports Kerberos authentication. Kerberos, an industry standard for
network security, is seamlessly integrated in the Windows 2000 operating
system through the automatic configuration of Active Directory domain
controllers to provide Kerberos with authentication services. This
enables Windows 2000 to authenticate Kerberos clients regardless
of what platform they reside on. The following figure illustrate
the integration between HP-UX and Windows 2000 for SFU version
2.0.
With LDAP-UX Client Services, HP-UX commands
and subsystems can transparently access name service information
from the Active Directory through PAM and NSS. Table 1-1 shows some
examples of commands and subsystems that use PAM and NSS.
Table 1-1 Examples of Commands and Subsystems that
use PAM and NSS
Commands that use NSS | Commands that use PAM and NSS |
|---|
ls | login |
nsquery[1] | passwd |
who | ftp |
whoami | su |
finger[2] | rlogin |
id | telnet |
logname | dtlogin |
groups | remsh |
newgrp[2] | |
pwget[2] | |
grget[2] | |
listusersb | |
loginsb | |
In addition, the getpwent(3C)
and getgrent(3C) family of system calls get user
and group information from the directory.
After you install and configure the Active Directory and migrate
your name service data into it, HP-UX client systems locate the
directory from a "start-up file." The start-up
file tells the client system how to download a "configuration
profile" from the Active Directory. The configuration profile
is a directory entry containing configuration information common to
many clients. Storing it in the directory lets you maintain it in
one place and share it among many clients rather than storing it redundantly
across the clients. Because the configuration information is stored
in the directory, all each client needs to know is where its profile is,
hence the start-up file. Each client downloads the configuration
profile from the directory.
The
profile is an entry in the directory containing details on how clients are
to access the directory. These details might include: where and
how clients should search the directory for user, group and other
name service information or other configuration parameters such
as search time limits.
The following chapter describes in detail how to install,
configure, and verify LDAP-UX Client Services with Microsoft Windows 2000
Active Directory.
Printable version
