 |
» |
|
|
|
This section describes the following programs for managing
client systems. Most of these programs are called by the setup program
during system configuration. create_profile_entry—creates a new profile in the directory. create_profile_cache—creates a new active profile from an LDIF profile.
This is also called by the get_profile_entry tool. create_profile_schema—extends the schema in the directory for profiles. display_profile_cache—displays the currently active profile. get_profile_entry—downloads a profile from the directory to LDIF,
and creates the profile cache. ldap_proxy_config—configures a proxy user.
create_profile_entry | |
This tool, found in /opt/ldapux/config, creates a new profile entry in the LDAP directory from
information you provide interactively. The directory schema must
have the DUAConfigProfile extension. create_profile_cache | |
This tool, found in /opt/ldapux/config, creates a binary profile file from an LDIF profile
file, thus activating the profile for the client. (You can download
a profile to LDIF from the directory with get_profile_entry.) Typically you run the setup program instead of running
this program directly. Also refer to “Downloading the Profile
Periodically”. create_profile_cache [-i infile] [-o outfile] |
where infile is the LDIF file containing a profile, by default /etc/opt/ldapux/ldapux_profile.ldif and outfile is the name of the binary output file, by default /etc/opt/ldapux/ldapux_profile.bin. The LDIF file must contain an entry for the object
class DUAConfigProfile. create_profile_schema | |
This tool, found in /opt/ldapux/config, extends the Active Directory schema with the DUAConfigProfile object class using the information you provide interactively.
Typically you run the setup program instead of running this program
directly. display_profile_cache | |
This tool, found in /opt/ldapux/config, displays information from a binary profile (cache)
file. By default, it displays the currently active profile in /etc/opt/ldapux/ldapux_profile.bin. display_profile_cache [-i infile] [-o outfile] |
where infile is a binary profile file, /etc/opt/ldapux/ldapux_profile.bin by default, and outfile is the output file, stdout by default. The binary profile contains mappings for all backend commands
(even those that are unused or unsupported by LDAP-UX Client Services
with Active Directory); all of which are displayed by display_profile_cache. The actual client configuration can be reviewed in
the configuration profile LDIF file /etc/opt/ldapux/ldapux_profile.ldif. The following command displays the profile in the binary profile
file /etc/opt/ldapux/ldapux_profile.bin to stdout: The following command displays the profile in the binary profile
file my_profile.bin and writes the output to the file profile: display_profile_cache -i my_profile.bin -o profile |
get_profile_entry | |
This tool, found in /opt/ldapux/config downloads a profile from an LDAP directory into an LDIF
file and calls create_profile_cache to create a binary profile file, thereby activating
it on the client. This tool looks in the local client configuration
file /etc/opt/ldapux/ldapux_client.conf for the profile DN. get_profile_entry -s service [-o outfile] [-D bindDN -w passwd] [-p profile_id] |
where service is the name of a supported service, typically NSS, outfile is the name of a file to contain the LDIF output,
by default /etc/opt/ldapux_profile.ldif, and profile_id is <remote domain name> or gc for
PROFILE_ID field in /etc/opt/ldapux/ldapux_client.conf. The -p option only applies if you want to configure multiple
domains. The following
command downloads the profile for the NSS specified in the client
configuration file /etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file /etc/opt/ldapux/ldapux_profile.ldif.
bindDN and password need to be provided if no valid proxy user is configured: get_profile_entry -s NSS -D bindDN -w passwd |
The following command downloads
the profile for the NSS specified in the client configuration file
/etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file profile1.ldif: get_profile_entry -s NSS -o profile1.ldif -D bindDN -w passwd |
The following command downloads
the profile for the NSS and PROFILE_ID (ldap.ca.com) specified in
the client configuration file /etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.ldap.ca.com: get_profile_entry -s NSS -D bindDN -w passwd -p ldap.ca.com |
The following command downloads
the profile for the Name Service Switch (NSS) and PROFILE_ID (gc)
specified in the client configuration file /etc/opt/ldapux/ldapux_client.conf and places the LDIF in the file /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.gc get_profile_entry -s NSS -D bindDN -w passwd -p gc |
ldap_proxy_config | |
This
tool, found in /opt/ldapux/config, configures a proxy user for the client accessing the
directory. It stores the encrypted proxy user information in the
file /etc/opt/ldapux/pcred. You must run this tool logged in as root. ldap_proxy_config [options] |
where options can be any of the following: - -e
erases the currently configured
proxy user from the file /etc/opt/ldapux/pcred. Has no effect on the proxy user information in the
directory itself. - -i
configures the proxy user
interactively from stdin. Enter the command with -i then press the Enter key. Next
enter the proxy user DN then press the Enter key.
Finally enter the proxy user credential or password and press the
Enter key. - -f file
configures the proxy user
from file. file must contain two lines: the first line must be the
proxy user DN, and the second line must be the proxy user credential
or password.
| | | |  | CAUTION: After using the -f file option you should delete or protect the file as it could
be a security risk. | | | | |
- -d DN
configures the proxy user
distinguished name to be DN. - -c passwd
configures the proxy user
credential or password to be passwd. - -p
prints the DN of the current
proxy user. - -v
verifies the current proxy
user and credential by connecting to the server. - -h
displays help on this command.
With no options, ldap_proxy_config configures the proxy user as specified in the file /etc/opt/ldapux/pcred. The following
example configures the proxy user as CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com with the password prox12pw and creates or updates the file /etc/opt/ldapux/pcred with this information: ldap_proxy_config -i
CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com
prox12pw |
The following example displays
the current proxy user: ldap_proxy_config -p
PROXY_DN: CN=Proxy User,CN=users,DC=cup,DC=hp,DC=com |
The following example checks
the configured proxy user information and checks whether or not
the client can bind to the directory as the proxy user with LDAP-UX
Client Services B.03.10 or earlier: ldap_proxy_config -v
File Credentials verified - valid |
The following example configures
the proxy user as CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com with the password prox12pw and creates or updates the file /etc/opt/ldapux/pcred with this information: ldap_proxy_config -d “CN=Proxy User,CN=Users,DC=cup,DC=hp,DC=com” -c prox12pw |
The following example configures
the proxy user with the contents of the file proxyfile and updates the file /etc/opt/ldapux/pcred with this information (the pcred file
must exist first): ldap_proxy_config -f proxyfile |
The file proxyfile must contain two lines: the proxy user DN on the first
line and password on the second line.
beq Search Tool | |
The new beq tool expands the search capability beyond that currently offered
by nsquery, which is limited to hosts, passwd, and group. This search utility bypasses the name service switch
and queries the backend directly based on the specified library.
The search will include the following services: pwd, grp, shd, srv, prt, rpc, hst, net, ngp, and grm. | | | |  | NOTE: HP does not support the beq tool at the present time. | | | | |
The syntax for this tool, along with example output, is shown
below. beq -k [n|d] -s <service> (-l <library>) (-h | -H <#>) <idl> (id1> (<id2> (...)) |
where: - k [n|d]
Required. The search key
may be either n for name string or d for digit (a numeral search).
- -s <service>
Required. Indicates what
backends are to be searched for information.
- -l <library>
Query the backend directly.
Bypass the APIs and skip the name service switch. - -h
Provides Help on this command. - -H <#>
Specifies Help level (0-5).
Larger numbers provide more information. If you specify -h or
-H, no other parameters are needed.
Table C-4 Title not available (Syntax) | Service | Description |
|---|
| pwd | Password | | grp | Group | | shd | Shadow Password | | srv | Service | | prt | Protocol | | rpc | RPC | | hst | Host | | net | Network | | ngp | Netgroup | | grm | Group Membership |
An example
beq command using igrp1 (group name) as the search key, grp (group) as the service, and ldap as the library is shown below:
./beq -k n -s grp -l /usr/lib/libnss_ldap.1
igrp1
nss_status.............. NSS_SUCCESS
pw_name...........(iuser1)
pw_passwd.........(*)
pw_uid............(101)
pw_gid............(21)
pw_age............()
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser1)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0) An example beq command using user name adm as the search key, pwd (password) as the service, and files as the library is shown below:
./beq -k n -s pwd -l /usr/lib/libnss_files.1 adm
nss_status.............. NSS_SUCCESS
pw_name...........(adm)
pw_passwd.........(*)
pw_uid............(4)
pw_gid............(4)
pw_age............()
pw_comment........()
pw_gecos..........()
pw_dir............(/var/adm)
pw_shell..........(sbin/sh)
pw_audid..........(0)
pw_audflg.........(0) An example beq command using uid number 102 as the search key, pwd (password) as the service and ldap as the library is shown below:
./beq -k d -s pwd -l /usr/lib/libnss_ldap.1
102
nss_status.............. NSS_SUCCESS
pw_name...........(user2)
pw_passwd.........(*)
pw_uid............(102)
pw_gid............(21)
pw_age............()
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser2)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0) An example beq command using group name igrp1 as the search key, grp (group) as the service, and ldap as the library is shown below:
./beq -k n -s grp -l /usr/lib/libnss_ldap.1
igrp1
nss_status.............. NSS_SUCCESS
gr_name...........(igrp1)
gr_passwd.........(*)
gr_gid............(21)
pw_age............()
gr_mem
(iuser1)
(iuser2)
(iuser3) An example beq command using gid number 22 as the search key, grp (group) as the service, and ldap as the library is shown below:
./beq -k d -s grp -l /usr/libnss_ldap
.l 22
nss_status.............. NSS_SUCCESS
gr_name...........(igrp2)
gr_passwd.........(*)
gr_gid............(22)
pw_age............()
gr_mem
(iuser1)
|
Printable version
