 |
» |
|
|
|
This section describes the following programs for managing
client systems. Most of these are called by the setup program when
you configure a system. - display_profile_cache
Displays the currently active
profile. - create_profile_entry
Creates a new profile in
the directory. - get_profile_entry
Downloads a profile from
the directory to LDIF, and creates the profile cache. - ldap_proxy_config
Configures a proxy user.
The following tools are called by the setup program and are
not typically used separately. - create_profile_schema
Extends the schema in the
directory for profiles. - create_profile_cache
Creates a new active profile
from an LDIF profile. This is also called by get_profile_entry.
The
create_profile_entry Tool | |
This tool, found in /opt/ldapux/config, creates a new profile
entry in the LDAP directory from information you provide interactively.
The directory schema must have the DUAConfigProfile extension. The
create_profile_cache Tool | |
This tool, found in /opt/ldapux/config,
creates a binary profile file from an LDIF profile file, thus activating
the profile for the client. (You can download a profile to LDIF
from the directory with get_profile_entry.)
Typically you run the setup program instead of running this program
directly. See also “Download
the Profile Periodically”. create_profile_cache [-i infile] [-o outfile] |
where infile is the LDIF file containing a profile, by default /etc/opt/ldapux/ldapux_profile.ldif
and outfile is the name of the binary output file, by default
/etc/opt/ldapux/ldapux_profile.bin. The LDIF file must contain an
entry for the object class PosixNamingProfile. The following command creates the binary profile file /etc/opt/ldapux/ldapux_profile.bin from
the existing LDIF file /etc/opt/ldapux/ldapux_profile.ldif: The following command creates the binary profile file my_profile.bin from the
existing LDIF file profile1.ldif: create_profile_cache -i profile1.ldif -o my_profile.bin |
Note that you must copy the file my_profile.bin to /etc/opt/ldapux/ldapux_profile.bin to
activate the profile. The
create_profile_schema Tool | |
This tool, found in /opt/ldapux/config,
extends the Active Directory schema with the posixDUAProfile and
posixNamingProfile object classes using the information you provide
interactively. Typically you run the setup program instead of running
this program directly. The
display_profile_cache Tool | |
This tool, found in /opt/ldapux/config,
displays information from a binary profile (cache) file. By default,
it displays the currently active profile in /etc/opt/ldapux/ldapux_profile.bin. display_profile_cache [-i infile] [-o outfile] |
where infile is a binary profile file, /etc/opt/ldapux/ldapux_profile.bin by
default, and outfile is the output file, stdout by
default. The binary profile contains mappings for all backend commands
(even those that are unused or unsupported by LDAP-UX Client Services
with Active Directory); all of which are displayed by display_profile_cache. The
actual client configuration can be reviewed in the configuration profile
LDIF file /etc/opt/ldapux/ldapux_profile.ldif. The following command displays the profile in the binary profile
file /etc/opt/ldapux/ldapux_profile.bin to
stdout: The following command displays the profile in the binary profile
file my_profile.bin and writes the output to the file profile: display_profile_cache -i my_profile.bin -o profile |
The
get_profile_entry Tool | |
This tool, found in /opt/ldapux/config, downloads a profile
from an LDAP directory into an LDIF file and calls create_profile_cache
to create a binary profile file, thereby activating it on the client.
This tool looks in the local client configuration file /etc/opt/ldapux/ldapux_client.conf for the
profile DN. get_profile_entry -s service [-o outfile] [-D bindDN -w passwd] [-p profile_id] |
where service is the name of a supported service, typically NSS,
and outfile is the name of a file to contain the LDIF output,
by default /etc/opt/ldapux_profile.ldif. The
-p option only applies if you want to configure multiple domains. Where profile_id is <remote
domain name> or gc for
PROFILE_ID field in /etc/opt/ldapux/ldapux_client.conf. The following command downloads the profile for the Name Service Switch
(NSS) specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and
places the LDIF in the file /etc/opt/ldapux/ldapux_profile.ldif.
bindDN and password need
to be provided if no valid proxy user is configured: get_profile_entry -s NSS -D bindDN -w passwd |
The following command downloads the profile for the Name Service Switch
(NSS) specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and
places the LDIF in the file profile1.ldif: get_profile_entry -s NSS -o profile1.ldif -D bindDN -w passwd |
The following command downloads the profile for the Name Service Switch
(NSS) and PROFILE_ID (ldap.ca.com) specified in the client configuration
file /etc/opt/ldapux/ldapux_client.conf and
places the LDIF in the file /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.ldap.ca.com: get_profile_entry -s NSS -D bindDN -w passwd -p ldap.ca.com |
The following command downloads the profile for the Name Service Switch
(NSS) and PROFILE_ID (gc) specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and
places the LDIF in the file /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.gc: get_profile_entry -s NSS -D bindDN -w passwd -p gc |
The
ldap_proxy_config Tool | |
This tool, found in /opt/ldapux/config,
configures a proxy user for the client accessing the directory.
It stores the encrypted proxy user information in the file /etc/opt/ldapux/pcred and
in kernel memory, referred to as SCS for Secure Credential Store.
You must run this tool logged in as root. ldap_proxy_config [options] |
where options can be any of the following: - -e
erases the currently configured
proxy user from the file /etc/opt/ldapux/pcred and
from the secure credential store in kernel memory. Has no effect
on the proxy user information in the directory itself. - -i
configures the proxy user
interactively from stdin. Type
the command with -i then press
Return. Next type the proxy user DN then press Return. Finally type the
proxy user credential or password and press Return. - -f file
configures the proxy user
from file. file must contain two lines: the first line must be the
proxy user DN, and the second line must be the proxy user credential
or password.
| | | |  | CAUTION: After using this option you should delete or protect
the file as it could be a security risk. | | | | |
- -d DN
configures the proxy user
distinguished name to be DN. - -c passwd
configures the proxy user
credential or password to be passwd. - -p
prints the distinguished
name of the current proxy user. - -v
verifies the current proxy
user and credential by connecting to the server. - -h
displays help on this command.
With no options, ldap_proxy_config configures the proxy user
as specified in the file /etc/opt/ldapux/pcred. The following example configures the proxy user as CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com with
the password prox12pw and creates or updates the file /etc/opt/ldapux/pcred
with this information: ldap_proxy_config -i
CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com
prox12pw |
The following example displays the current proxy user: ldap_proxy_config -p
PROXY_DN: CN=Proxy User,CN=users,DC=cup,DC=hp,DC=com |
The following example checks the configured proxy user information
and checks whether or not the client can bind to the directory as
the proxy user: ldap_proxy_config -v
File Credentials verified - valid
SCS Credentials verified - valid
File copy & SCS copy are synchronized |
The following example configures the proxy user as CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com with
the password prox12pw and creates or updates
the file /etc/opt/ldapux/pcred with this information: ldap_proxy_config -d "CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com" -c prox12pw |
The following example configures the proxy user with the contents
of the file proxyfile and creates or updates
the file /etc/opt/ldapux/pcred with this information: ldap_proxy_config -f proxyfile |
The file proxyfile must contain two lines:
the proxy user DN on the first line and password on the second line. The new beq tool expands the search capability beyond that
currently offered by nsquery, which is limited to hosts, passwd,
and group. This search utility bypasses the name service switch
and queries the backend directly based on the specified library.
The search will include the following services: pwd, grp, shd, srv,
prt, rpc, hst, net, ngp, and grm. | | | |  | NOTE: HP does not support the beq tool at the present time. | | | | |
The syntax for this tool, along with example output, is shown
below. beq -k [n|d] -s <service> (-l <library>) (-h | -H <#>) <idl> (id1> (<id2> (...)) |
where - k [n|d]
Required. The search key
may be either n for name string or d for digit (a numeral search).
- -s <service>
Required. Indicates what
backends are to be searched for information.
- -l <library>
Query the backend directly.
Bypass the APIs and skip the name service switch. - -h
Provides Help on this command. - -H <#>
Specifies Help level (0-5).
Larger numbers provide more information. If you specify -h or -H,
no other parameters are needed.
Service | Description - pwd
Password - grp
Group - shd
Shadow Password - srv
Service - prt
Protocol - rpc
RPC - hst
Host - net
Network - ngp
Netgroup - grm
Group Membership
An example
beq command using igrp1 (group name) as the search key, grp (group)
as the service, and ldap as the library is shown below: ./beq -k n -s grp -l /usr/lib/libnss_ldap.1 igrp1 nss_status.............. NSS_SUCCESS
pw_name...........(iuser1)
pw_passwd.........(*)
pw_uid............(101)
pw_gid............(21)
pw_age............()
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser1)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0) An example beq command using
user name adm as the search key, pwd (password) as the service,
and files as the library is shown below: ./beq -k n -s pwd -l /usr/lib/libnss_files.1 adm nss_status.............. NSS_SUCCESS
pw_name...........(adm)
pw_passwd.........(*)
pw_uid............(4)
pw_gid............(4)
pw_age............()
pw_comment........()
pw_gecos..........()
pw_dir............(/var/adm)
pw_shell..........(sbin/sh)
pw_audid..........(0)
pw_audflg.........(0) An example beq command using
uid number 102 as the search key, pwd (password) as the service
and ldap as the library is shown below: ./beq -k d -s pwd -l /usr/lib/libnss_ldap.1 102 nss_status.............. NSS_SUCCESS
pw_name...........(user2)
pw_passwd.........(*)
pw_uid............(102)
pw_gid............(21)
pw_age............()
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser2)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0) An example beq command using
group name igrp1 as the search key, grp (group) as the service,
and ldap as the library is shown below: ./beq -k n -s grp -l /usr/lib/libnss_ldap.1 igrp1 nss_status.............. NSS_SUCCESS
gr_name...........(igrp1)
gr_passwd.........(*)
gr_gid............(21)
pw_age............()
gr_mem
(iuser1)
(iuser2)
(iuser3)
An example beq command using
gid number 22 as the search key, grp (group) as the service, and
ldap as the library is shown below: ./beq -k d -s grp -l /usr/libnss_ldap.l 22 nss_status.............. NSS_SUCCESS
gr_name...........(igrp2)
gr_passwd.........(*)
gr_gid............(22)
pw_age............()
gr_mem
(iuser1)
|
Printable version
