 |
» |
|
|
|
This section describes the requirements and steps on how to
prepare Active Directory to work with LDAP-UX Client Services. | | | |  | NOTE: If you will be configuring your system for ADS
multiple domains, there will be some additional configuration
instructions to follow. These will be listed as bulleted items under
the appropriate step number. | | | | |
Install Active Directory. Even though Active Directory is an integral component
of the Windows 2000 operating system, you will need to install it
separately once Windows 2000 Server has been installed on your computer. After the final reboot of your Windows 2000 installation,
the "Windows 2000 Configure Your Server" screen
is displayed. Choose "Active Directory" (in the
left column).
Click on "Start" to initiate
the Active Directory Installation Wizard. You can also initiate the Active Directory Installation Wizard
at any future time, by clicking on "Start", "Programs", "Administrative
Tools", "Configure Your Server". Choose Active Directory and click
on "Start." Administrative tools are required for you to manage Active
Directory. These tools are included with Windows 2000 Server to
simplify directory administration. If your system is running Windows
2000 Professional, you will have to separately install the Windows
2000 Administrative tools. Make sure you have "Active Directory
Users and Computers", which is needed to manage user accounts. Another
Active Directory administrative tool is the Active Directory Schema
snap-in, which allows you to manage your Active Directory schema.
For installation, check the Active Directory on-line help "Manage
the schema". You may also need ADSI (Active Directory Services interface)
editor. It is part of Windows 2000 Support Tools and is used to
create and modify Active Directory objects. The Windows 2000 Support
Tools can be found on the Windows 2000 Server CD. Click on support/tools/setup
to start the setup wizard. If you will be using ADS multiple
domains: Set up the ADS forest. Ideally, the local domain should contain
the most frequently accessed data.
Install SFU 2.0 or 3.0, including
the server for NIS Posix accounts have some attributes, such as user ID,
login shell, and home directory, which are not used by Windows 2000.
To use Active Directory as a data repository for HP-UX users, the
Active Directory schema needs to be extended to include the posix
schema defined in RFC 2307. Server for NIS, a tool available with
the Services for Unix (SFU) add-on package, extends the Active Directory
schema based on RFC 2307 to allow integration of posix attributes. For corresponding Windows objects that exist in Active Directory
(such as password and group), Server for NIS adds posix attributes
to the same object creating a unique object representing both posix and Windows identities. For example, information needed for a UNIX user is stored
in Active Directory as part of the Active Directory Domain Users
group. To allow storing posix attributes, Server for NIS extends
the Users group with msSFUPosixAccount as
its auxiliary class (SFU version 2.0). This allows posix attributes
to be added to newly created objects of the User class. More information on SFU can be found on the Microsoft web
site at http://www.microsoft.com/windows2000/sfu/. | | | | | NOTE: By default, the LDAP-UX Client Services work with SFU
version 2.0. If you install SFU version 3.0 on a Windows 2000 server,
you will need to perform additional steps to configure LDAP-UX on
your HP-UX machine. For detailed information, refer to Appendix
F: "Configuring LDAP-UX Client Services to Work With SFU
3.0". | | | | |
Create a proxy user The use of a proxy user is mandatory for Active Directory,
as anonymous binding does not grant enough access rights to retrieve
user, group or any other name service data. Use the Windows 2000
management tool, Active Directory Users and Computers, to add a
proxy user as a member of the "Domain Users" group. For example,
you might add a user. CN=Proxy User, DC=Users, DC=cup,
DC=hp, DC=com | | | |  | CAUTION: Make sure the proxy user is a member of the Domain
Users group, which allows read access only, and not the Administrator
group to protect Active Directory entries from malicious modifications. | | | | |
A proxy user's access right to objects in an Active Directory
depend on what default permissions Active Directory has been configured
with during installation. The two possible permission options are: Installation with "Permissions Compatible
with Pre-Windows 2000 Servers" Using this permission option, any authenticated user will
be granted read access to all attributes, including posix attributes.
This means, that any user can be configured as a proxy user. For
security reasons, this may not be your best choice. Installation with "Windows
2000 Compatible Access" Using this permission option, authenticated users will
be granted the right to read all properties of their own objects,
but they have limited access to attributes of other objects. Since
a proxy user needs to be able to read all users' and groups' posix
attributes, the administrator will need to specifically extend the
access capabilities for proxy users. You can do this through one
of the following alternatives: Configure the
proxy user to be a member of "Pre-Windows 2000 Compatible
Access" group. By doing this, you allow the proxy user to read all
properties of user and group objects. Here is how to configure it: Start
Active Directory Users and Computers. From the domain tree, click
Builtin. Double-click "Pre-Windows
2000 Compatible Access" and choose the "Members" tab. Click "Add", from a list
of all users and groups, choose the user name which you want to
configure as a proxy user, then click "Add". Click "OK" to save the configuration.
Delegate posix attribute
read access to the proxy user. By doing this, you allow the proxy
user to read only posix attributes of user and group objects: Start
Active Directory Users and Computers. Click the container which
contains the proxy user, usually it is "Users". Choose "Delegate Control"
from the Action menu. The Delegation of Control
Wizard starts, click "Next". On the following screen,
click "Add" to get a list of users groups. Choose the proxy user,
and click "Add" and "OK". Back to the screen to select
users and groups, click "Next". You are given the screen
to identify the scope of the task you want to delegate. Choose "Only
the following objects in folder", check "Group objects", click "Next" For SFU, version 2.0: You are given a screen to select the permissions, choose "Property-specific" and
the following permissions: Read gidNumber Read memberUid Read msSFUName then click Next For SFU, version 3.0: You are given a screen to select the permissions, choose "Property-specific" and
the following permissions: Read msSFU30GidNumber Read msSFU30MemberUid Read msSFU30Password Read msSFU30Name then click Next For SFU, version 2.0: You are given the screen which confirms your configuration, click
on "finish" if everything is correct, otherwise, click "Back" to
change. Repeat above steps to delegate user posix attributes to
the proxy user by choosing "User objects" in g), and choose the
following posix user attributes in h): Read gecos Read loginShell Read msSFUHomeDirectory Read gidNumber Read uidNumber Read msSFUName For SFU, version 3.0: You are given the screen which confirms your configuration, click
on "finish" if everything is correct, otherwise, click "Back" to
change. Repeat above steps to delegate user posix attributes to
the proxy user by choosing "User objects" in g), and choose the
following posix user attributes in h): Read msSFU30Gecos Read msSFU30LoginShell Read msSFU30HomeDirectory Read msSFUGidNumber Read msSFU30UidNumber Read msSFU30Name
If you will be using ADS multiple
domains: If you configure LDAP-UX with ADS multiple domains, you configure
a proxy user as described above in one of any domains, then configure
the same proxy user in every domain which you want to include in
your remote domain support with LDAP-UX. For example, first configure
a proxy user proxyusr for the domain ldap.hp.com. Next, include
the domain eng.hp.com in the support, and add proxyusr@ldap.hp.com
to the domain eng.hp.com using above steps. Repeat these steps for
every domain you want to include. If you have multiple LDAP-UX clients,
you can also configure one proxy user for each client as long as
the proxy user has the access right to all domains that the client
wants to access. The proxy user needs to have access right to read passwd and
group information in multiple domains.
Add an account
for the HP-UX client machine to Active Directory Use the Active Directory Users and Computer tool to
create a user account for your HP-UX host. If you will be using ADS multiple
domains: Add a host account for HP-UX client machine to every domain
you want to access.
Use ktpass to
create the keytab file for the HP-UX client machine. Use the ktpass tool to create
the keytab file and set up an identity mapping for the host account.
The following is an example showing you how to run ktpass to
create the keytab
file for the HP-UX host myhost with the KDC realm cup.hp.com: C:> ktpass -princ host/myhost@CUP.HP.COM -mapuser myhost -pass mypasswd -out unix.keytab |
| | | | | NOTE: If your machine doesn't have ktpass,
you can install it from your Windows 2000 Server compact disc, in
the directory support/tool. | | | | |
If you will be using ADS multiple
domains: Repeat Step 4 and Step 5 in this procedure for
the HP-UX client machine in every domain that you want to access.
Then, merge the keytab files (see Appendix D, "Creating
a /etc/krb5.keytab File" for more information) on your
HP-UX machine to create /etc/krb5.keytab. This
is one way to configure an HP-UX Kerberos client to communicate
with multiple KDCs. For other possibilities using cross-realm authentication,
refer to the [capaths] section
in the manual page of krb5.conf (i.e. man krb5.conf).
The Global Catalog Server (GCS) is the domain controller
which hosts the global catalog for a forest. The global catalog
contains partial information of each domain in the forest. If you
want LDAP-UX Client Services to query GCS to decide which domain
a queried data belongs to, then add the following POSIX attributes
into the global catalog: For SFU version 2.0 1. msSFUName
2. uidnumber
3. gidnumber For SFU version 3.0 1. msSFU30Name
2. msSFU30UidNumber
3. msSFU30GidNumber
Refer to Appendix G for detailed information on how to perform
this task. For information on how LDAP-UX Client Services retrieves data
from remote domains, see Chapter 3.
|
Printable version
