 |
» |
|
|
|
Using
the setup program. This section describes in detail the steps you need to take
to configure LDAP-UX Client Services with Windows 2000 Active Directory.
In summary, you will need to run the setup program to extend the
profile schema into Active Directory and to create specific profile
entries. The setup program also creates the necessary files on your
client system and configures the proxy user. Kerberos
Authentication. LDAP-UX Client Services with Active Directory uses the Kerberos Authentication
method. If not already available on your system, you will need to
install and configure PAM Kerberos. Some instructions for doing this
are shown later in this section. Additional detailed information
can be found in the Configuration Guide for Kerberos Products on
HP-UX, available at http://docs.hp.com/hpux/internet. Name
Service Switch (NSS). The Name Service Switch (NSS) needs to be modified to retrieve
your account and group information from Active Directory. Run
the Setup Program | |
Log in as root and
run the setup program: cd /opt/ldapux/config
./setup The setup program asks you a series of questions and usually
provides default answers. Press the Enter key to accept the default,
or change the value and press Enter. At any point during setup,
enter Control-b to return to the previous screen or Control-c to
exit setup. Choose Windows 2000 as your LDAP directory server (option
2). Enter the
host name and port number of the directory where your profile exists,
or where you want to create a new profile from Appendix A.
To check the directory to see if the schema has been extended with
the LDAP-UX Client Services object classes DUAConfigProfile, enter
the DN (Distinguished Name) and password of a user. This must be
done, but only needs to be done once. See Appendix B for a detailed
description of these object classes. If the
schema has already been extended, setup skips this step. Otherwise,
to extend the schema, enter the DN (Distinguished Name) and password
of a user who can extend the directory schema from Appendix A. For new
profiles, the profile object must be created under the 'ConfigurationNamingContext' container,
which is usually CN=Configuration, <domain root>,
or it can be created under any path with an object class of 'Container'.
These container entries must exist before any new profile entries
can be created. Enter either the DN of a new
profile, or the DN of an existing profile, from Appendix A. To display all the profiles in the directory, use a
command like the following: ldapsearch -D <directory user> -w <credentials> -s
sub -b
"CN=Configuration, DC=cup, DC=hp,
DC=com" -h <Active Directory
host> -p <Active
Directory port> objectclass=DUAConfigProfile If you are using an existing profile, setup configures your
client, downloads the profile, and exits. In this case, continue
by going to the section “Install
the PAM Kerberos Product” below. If you are creating a new profile,
enter the DN and password of a user who can create a new profile,
from Appendix A. Next, enter the
host name and port number of the directory where your account and
group data is, from Appendix A. You can enter up to three hosts,
to be searched in order. Enter the
base DN where clients should search for name service data, from
Appendix A. Reply "No" when
asked if you want to accept the remaining default configuration
parameters. For Active Directory, you must
set access to the directory by proxy user because anonymous binding
does not grant enough access right to an Active Directory. Enter
the DN and password of your proxy user from Appendix A. Enter the
maximum time in seconds the client should wait for binding to the
directory before aborting ("bind time"). Enter
0 for no time limit. | | | |  | CAUTION: The default client binding time is 5 seconds.
Depending on the load on your directory, this default value may
not be high enough to service all database requests. | | | | |
Enter the
maximum time in seconds the client should wait for directory searches
before aborting. Enter 0 for no time limit. The screen displays the question: "Do
you want client searches of the directory to follow referrals? Enter "No". Referrals are currently not certified with Active Directory.
Please check the release notes at http://docs.hp.com/hpux/internet
for additional information. Enter the Profile TTL (Time To
Live) value. This value defines the time interval between automatic
downloads (refreshes) of new configuration profiles from the directory.
Automatic refreshing ensures that the client is always configured
using the newest configuration profile.
If you want to
disable automatic refresh or manually control when the refresh occurs,
enter a value of 0. “Download
the Profile Periodically”. Enter whether or not you want
to
remap the standard object class attributes to alternate attributes.
You need to do this if your user and group data do not conform to
the object classes defined in RFC 2307, posixAccount, posixGroup,
and shadowAccount. You can remap the attributes for any of the supported
services: passwd, shadow passwd, group, PAM, netgroup, rpc, protocols,
networks, hosts, and services. Select the service you want to remap.
Then select the attribute you want to remap and enter the new attribute
name. For example, you might map the standard UNIX user id number
attribute uidnumber to an employeeID attribute. | | | |  | NOTE: Make sure that the attribute names are typed in correctly
to avoid unpredictable results later on. | | | | |
See RFC 2307 at http://www.ietf.org/rfc/rfc2307.txt for a
description of the standard object classes and attributes. Optionally, you may set up X.500 by executing the following
steps: Map to memberuid
member For the question:
Specify
the service you want to map? [0]: 3
Answer "3" For the question:
Specify
the attribute you want to map? [0]: 3
Answer "3" Type the attributes you want to map to the member
attribute:
[memberuid]: memberuid
member
For ADS, the valid member attributes
you can map to is:
memberuid member
posixmember Follow the prompts to finish the setup
Enter whether or not you want
to create
custom search descriptors for any of the supported name services.
Select the service you want to create a custom search descriptor
for. | | | | | NOTE: Custom search descriptors have no relevance for
PAM Kerberos. PAM Kerberos is the only certified authentication
method for LDAP-UX Client Services with Active Directory. | | | | |
A custom search descriptor consists of three parts: a search
base DN, scope, and filter. Use custom search descriptors if you
want clients to search different locations in the directory or to
apply different search filters. For example, some clients might
search for employees only in a particular department.
Each
service can have up to three different search descriptors. The client uses
the search descriptors in order until it finds what it is looking
for. | | | | | NOTE: The default search base DN for all requests will be
set to the previously specified default search base DN (in Step
9), usually the domain root. For very large databases, search performance
can be greatly increased by specifying custom search descriptors.
For example, to search user and group information, set the search
base DN for the user and group services to CN=Users, DC=cup, DC=hp,
DC=com.If your search filters overlap, enumeration requests
will result in duplicate entries being returned. For example, if
one search filter searched a subset of your organization and a second
search filter searched your entire organization, an enumeration
request would return duplicate entries.See "Enumeration
Requests" in Chapter 4. | | | | |
Answer Yes to
the question about "Are you ready to create the Profile Entry?" Then
press any key to continue. At this point, you will choose whether or not to configure
for Multiple Domains. If you will not be configuring for
Multiple Domains: continue on with Step 20 below. If you will be configuring for Multiple Domains:
answer "Yes" to the question "Do you
wish to configure multiple-domain support?" If you will be using Remote Domain Configuration, answer "Yes" to the
next question. If you answer "No", skip the remaining
comments in this bullet, and proceed to the next bulleted item. You will loop through a series of screens which will allow
you to create as many profiles as you wish (one profile will be
created for each pass through the loop). Read the explanation paragraph(s) in the next screen carefully before
answering the question, then enter the appropriate domain name. Next, you will return to Step 3 through Step 18 of
this procedure for each profile to be created. When you have added as many profiles as you wish, answer "No" to the
question "Do you wish to configure another profile for
remote domain?" If you will be using the Global Catalog Server (GCS),
answer "yes" to the next question. If you answer "no",
then proceed to Step 20,
below. Next, you will return to Step 3 through Step 18 of
this procedure to create the profile for the Global Catalog Server. | | | | | NOTE: When you configure the default search base for the GCS,
you must make sure that the base covers everything that you want
to include. For example, for a forest containing two domain trees
(ca.hp.com and ny.hp.com), if you specify ca.hp.com
as the GCS search base, all of the data under the ny.hp.com domain tree will not be found.
You must specify hp.com to cover
the entire forest. The setup tool provides the root domain as the
default search base. You must override it in order to cover the
entire forest. | | | | |
Please read the instructions on each screen, carefully, as
some of the answers to these questions will be different than the
last 2 times you went through these questions. When you have finished building the profile for the Global
Catalog Server, configure the profiles for each domain that is used
by the Global Catalog search. To configure the profiles for each domain that is used by
the Global Catalog search, you will again return to Step 3 through Step 18 of this procedure until you have configured
each profile needed by the Global Catalog search. When this process is done, continue to Step 20, below.
Reply to the
question, "Would you like to start/restart the LDAP-UX daemon" Users need to start the LDAP-UX daemon in order to
use multiple domains and X.500 features.
Install
the PAM Kerberos Product | |
For HP-UX 11.00, use swinstall(1M) to
install the PAM Kerberos product J5849AA. The software can be downloaded
from http://software.hp.com. In order to work
with LDAP-UX Client Services B.03.00, you need PAM Kerberos version
v1.10 or later. If your system already has an older version of PAM
Kerberos, you need to re-install it with the new version. For HP-UX 11i, PAM Kerberos is included on the operating system
CD. By default PAM Kerberos is installed with the operating system
unless you deselect it. However, you need to download and install
the latest version (v1.10 or later). See the Configuration Guide for Kerberos Products on HP-UX
Release Notes, available at http://docs.hp.com/hpux/internet for
any last minutes changes. You also need to install the required patch, see /opt/ldapux/README-LdapUxClient for
patch information. The /opt/ldapux/README-LdapUxClient file
is available after you install the NativeLdapClient subproduct. Configure
Your HP-UX Machine to Authenticate Using PAM Kerberos | |
Create /etc/krb5.conf: For Multiple Domains For each domain you configure in LDAP-UX, you need to add
its KDC entry into the /etc/krb5.conf file. For a sample file that supports two domains, please refer
to Appendix E, "Sample /etc/krb5.conf File".
Add the Kerberos services to
the /etc/services file if they don't exist yet. A Kerberos
client requires the following entries in the /etc/services file
for the Kerberos PAM services: kerberos5 88/udp kdc # Kerberos V5 kdc
kerberos5 88/tcp kdc # Kerberos V5 kdc
kerberos-sec 88/udp kdc # Kerberos V5 kdc
kerberos-sec 88/tcp kdc # Kerberos V5 kdc
kerberos 750/udp kdc # Kerberos V5 kdc
kerberos 750/tcp kdc # Kerberos V5 kdc
klogin 543/tcp # Kerberos rlogin -kfall
kshell 544/tcp cmd # Kerberos remote shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 464/udp # Kerberos Password Change protocol
kerberos-cpw 464/tcp # Kerberos Password Change protocol |
Add a host key to the /etc/krb5.keytab
file The keytab
file is the one described in the previous section on Windows 2000
using ktpass. You need to securely transfer the keytab file you
created in Step 5 on page 26 to your HP-UX machine and name it krb5.keytab
in the /etc directory. If you already have an existing /etc/krb5.keytab
file, you need to merge the new keytab file with the existing one.
ktutil is a tool provided with the Kerberos product for you to maintain
the keytab file. | | | | | NOTE: The keytab file should only be readable by the root
user. | | | | |
Synchronize the HP-UX clock to
the Windows 2000 clock. The clocks in Windows 2000 and your HP-UX machine must
be synchronized within 2 minutes. You can run Network Time Synchronizer to
synchronize both clocks. If the tool is not available, you can manually synchronize
them by setting "Date/Time Properties" on Windows
2000 and running "/etc/set_parms date_time" on
HP-UX. Configure /etc/pam.conf to use
PAM Kerberos. /etc/pam.conf is the PAM configuration file, which
specifies PAM service modules for PAM applications. To use PAM Kerberos
as authentication module, you will need to edit /etc/pam.conf to
include the PAM Kerberos library /usr/lib/security/libpam_krb5.1
for all four services: authentication, account management, session
management, and password management. A sample pam configuration
file can be found in Appendix C. | | | | | NOTE: The sample file reflects the recommendation to keep
the root user in /etc/passwd local on each client machine, and to
allow for local account management of the root user. This guarantees
local access to the system in case the network is down. | | | | |
Configure
the Name Service Switch (NSS) | |
Save a copy of the file /etc/nsswitch.conf and edit the original
to specify the ldap name service and other name services you want
to use. See /etc/nsswitch.ldap for an example. You may be able to
just copy /etc/nsswitch.ldap to /etc/nsswitch.conf. See nsswitch.conf(4)
for more information. Configure
the Disable Login Flag | |
Save a copy of the file /etc/opt/ldapux/dapux_client.conf
and edit the original to activate the disable_uid_range flag. Uncomment
the flag in the [NSS] portion of the file and fill in the UID range.
The format is disable_uid_range=uid#,[uid#-uid#], .... For example: disable_uid_range=0-100,300-450,89 Note: White
spaces between numbers are ignored. Only one line of the list
is accepted, however, the line can be wrapped. The maximum number of ranges
is 20.
Verify
the LDAP-UX Client Services | |
For Single Domain This section describes some simple ways you can verify the installation
and configuration of your LDAP-UX Client Services. You may need
to do more elaborate and detailed testing, especially if you have
a large environment.
Use the
nsquery(1)[1] command
to test the name service: nsquery lookup_type lookup_query [lookup_policy] |
For example, to test the name service switch to resolve a
username lookup, enter: nsquery passwd username ldap |
where username is the login name of a valid user whose posix account information
is in the directory. You should see output something like the following
depending on how you have configured /etc/nsswitch.conf: Using "files ldap" for the passwd policy.
Searching /etc/passwd for jbloggs
jbloggs was NOTFOUND
Switch configuration: Allows fallback
Searching ldap for jbloggs
User name: jbloggs
User Id: 644
Group Id: 20
Gecos: John Bloggs,43L-C3,555-1212
Home Directory: /home/jbloggs
Shell: /usr/bin/ksh
Switch configuration: Terminates Search |
This tests the Name Service Switch configuration in /etc/nsswitch.conf.
If you do not see output like that above, check /etc/nsswitch.conf
for proper configuration. Use
other commands to display information about users in the directory, making
sure the output is as expected: pwget -n username
grget -n groupname
ls -l |
| | | | | NOTE: While you can use the following commands to verify your
configuration, these commands enumerate the entire passwd or group
database, which may reduce network and directory server performance
for large databases:pwget (with no options)
grget (with no options)
listusers
logins |
| | | | |
Use the beq search
utility to search for the following services: pwd (password), grp
(group), shd (shadow password), srv (service), prt (protocol), rpc
(RPC), hst (host), net (network), ngp (netgroup), and grm (group
membership). An example beq command using name as the search key,
grp as the service, and ldap as the library is shown below. ./beq -k n -s grp -l /usr/lib/libnss_ldap.1 \
igrp1
nss_status........NSS_SUCCESS
pw_name...........(iuser1)
pw_passwd.........(*)
pw_uid............(101)
pw_gid............(21)
pw_age............()
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser1)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0) |
Refer to "beq Search Tool" in Chapter 5
for command syntax and examples. Log in to the client system from
another system using rlogin or telnet. Log in as a user in the directory
and as a user in /etc/passwd to make sure both work. Optionally, test your pam_authz
authorization configuration by: logging
into the client system from another system using rlogin or telnet.
From there log in to the directory as a member from +@netgroup to
verify that pam_authz authorizes you and is working correctly. logging in as a user to the
directory as a member of a-@netgroup to be sure that the system
will not authorize you to login.
Open a new hpterm(1X)
window and log in to the client system as a user whose account information
is in the directory. It is important you open a new hpterm window
or log in from another system because if login doesn't
work, you could be locked out of the system and would have to reboot
to single-user mode.
This tests the
Pluggable Authentication Module (PAM) configuration in /etc/pam.conf.
If you cannot log in, check /etc/pam.conf for proper configuration.
Also check your directory to make sure the user's account information
is accessible by the proxy user or anonymously, as appropriate.
Check your profile to make sure it looks correct. See also "Troubleshooting" in
Chapter 4 for more information. Use the ls(1)
or ll(1) command to examine files belonging
to a user whose account information is in the directory. Make sure
the owner and group of each file are accurate: If any owner or group shows up as a number instead of a user
or group name, the name service switch is not functioning properly.
Check the file /etc/nsswitch.conf, your directory,
and your profile. If you have configured a multi-domain
setup and you want to verify it, execute the following two steps.
Otherwise, continue below with the section titled, "Configure
Subsequent Client Systems". The following steps will verify that LDAP-UX is able
to retrieve data from ADS multiple domains: Create or import a POSIX user account
into an ADS remote domain (for example, the user account "smith",
this is identical to how you set it up for a single domain, except
now you put it into a remote domain). If pwget -n smith returns
valid data, LDAP-UX is working with ADS multiple domains. If no
data was returned, the setup was not successful.
Configure
Subsequent Client Systems | |
Once you have configured your directory and one client system,
you can configure subsequent client systems using the following
steps. Modify any of these files as needed. Use swinstall to install
LDAP-UX Client Services on the client system. This requires rebooting
the client system. Copy the following files from
a configured client to the client being configured: /etc/opt/ldapux/ldapux_client.conf /etc/opt/ldapux/pcred only
if you have configured a proxy user, not if you are using only anonymous
access
Download the profile by running
get_profile_entry as follows: cd /opt/ldapux/config
./get_profile_entry -s nss -D bindDN -w password |
If you are using multiple domain, you need to download profiles
for the GCS and each reomote domain. Please refer to Chapter 5,
section titled "The get_profile_entry Tool" for
information about downloading these profiles. Alternatively you could interactively run the setup program
to download the profile from the directory and respond "no" when
asked if you want to change the current configuration: cd /opt/ldapux/config
./setup |
If you are using a proxy user,
configure the proxy user by calling ldap_proxy_config as follows: cd /opt/ldapux/config
./ldap_proxy_config |
“Verify
the LDAP-UX Client Services”.
|
Printable version
