 |
» |
|
|
|
To configure the LDAP-UX Client Services, complete the steps
in this section. If you attempt to enable SSL support with LDAP-UX, you must
configure the LDAP directory server to support SSL and install the
security database (cert7.db and key3.db) on your client before you
run the setup program. For SSL setup details, refer to“Configuring the LDAP-UX
Client Services with SSL Support”. Step
1: Run the Setup Program | |
This section describes
in detail the steps you need to take to configure LDAP-UX Client
Services with Windows 2000 Active Directory. In summary, you will
need to run the setup program to extend the profile schema into
Active Directory and to create specific profile entries. The setup
program also creates the necessary files on your client system and configures
the proxy user. If you want to use SSL, you must have the certificate database
files, cert7.db and key7.db, on your client
system before you run the setup program. Log in as root
and run the setup program: cd /opt/ldapux/config
./setup |
The setup program asks you a series of questions and usually provides
default answers. Press the Enter key
to accept the default, or change the value and press the Enter key. At any point during setup,
press the Control-b keys
to return to the previous screen or press the Control-c keys
to exit setup. Choose Windows 2000 as your
LDAP directory server (option 2). Enter either the host name or
IP address of the directory server where your profile exists, or
where you want to create a new profile. Enter the port number of
the previous specified directory server that you want to store the
profile, from Appendix A. The default port number is 389. To check the directory to see if the schema has been
extended with the LDAP-UX Client Services object class DUAConfigProfile,
enter the DN (Distinguished Name) and password of a user. This must
be done, but only needs to be done once. See Appendix B for a detailed description
of these object classes. If the schema has already
been extended, setup skips this step. Otherwise, to extend the schema,
enter the DN and password of a directory user who can extend the
directory schema from Appendix A. For new profiles,
the profile object must be created under the ‘ConfigurationNamingContext’ container,
which is usually CN=Configuration, <domain root>, or it can be created under any path with an object
class of ‘Container’. These container entries
must exist before any new profile entries can be created. Enter either the DN of a
new profile, or the DN of an existing profile, from Appendix A. To display all the profiles in the directory, use a
command like the following: ldapsearch -D <directory user> -w <credentials> -s sub -b
“CN=Configuration, DC=cup, DC=hp, DC=com” -h <Active Directory host>
-p <Active Directory port> objectclass=DUAConfigProfile If you are using an existing profile, setup configures your
client, downloads the profile, and exits. In this case, continue
by going to the section “Step
2: Install the PAM Kerberos Product”. If you are creating a new
profile, enter the DN and password of a directory user who can create
a new profile, from Appendix A. Choose the attribute map
set to be used with the directory server. You can select SFU 2.0
(option 1) or SFU 3.0 (option 2). By default, the SFU 3.0 (option
2) is used as the attribute map set. Next, you will be asked whether
you want to use SSL or not. Enter “yes” if you
attempt to use SSL for the secure communication between LDAP clients
and the Windows 2000 Active Directory Server. Enter “no” if
you don’t want to use SSL. If the certificate database files, cert7.db and key7.db,
do not exist on your client system, setup skips this step. Next,
enter the host name and port number of the directory where your
account and group data is, from Appendix A.You can enter up to three
hosts, to be searched in order. Enter the base DN where
clients should search for name service data, from Appendix A. Enter No when prompted to ask if you want to accept the remaining default
configuration parameters. For Active Directory, you
must set access to the directory by proxy user because anonymous
binding does not grant enough access right to an Active Directory.
Enter the DN and password of your proxy user from Appendix A. Enter
the maximum time in seconds the client should wait for binding to
the directory before aborting (“bind time”). Enter
0 for no time limit. | | | |  | CAUTION: The default client binding time is 5 seconds.
Depending on the load on your directory, this default value may
not be high enough to service all database requests. | | | | |
Enter
the maximum time in seconds the client should wait for directory
searches before aborting. Enter 0 for no time limit. The screen displays the question:
Do you want client searches of the directory
to follow referrals? Enter No. Referrals are currently not certified with Active Directory.
Check the release notes at http://docs.hp.com/hpux/internet for
additional information. Enter the Profile Time To Live (TTL) value. This value defines the time interval between
automatic downloads (refreshes) of new configuration profiles from
the directory. Automatic refreshing ensures that the client is always
configured using the newest configuration profile. If you want to
disable automatic refresh or manually control when the refresh occurs,
enter a value of 0. Refer to “Downloading the Profile
Periodically” Enter whether or not
you
want to remap the standard object class attributes to alternate
attributes. You need to do this if your user and group data do not
conform to the object classes defined in RFC 2307, PosixAccount, PosixGroup, and ShadowAccount. You can remap the attributes for any of the supported
services: passwd, shadow passwd, group, PAM, netgroup, rpc, protocols, networks, hosts, and services. Select the service you want to remap. Then select the
attribute you want to remap and enter the new attribute name. For
example, you might map the standard UNIX user ID number attribute uidnumber to an employeeID attribute. | | | |  | NOTE: Make sure that the attribute names are entered correctly
to avoid unpredictable results later. | | | | |
Refer to RFC 2307 at http://www.ietf.org/rfc/rfc2307.txt for
a description of the standard object classes and attributes. Optionally, you may set up X.500 by executing the following
steps: Map to memberuid member. For the question:
Specify the service you want to map?
[0]: 3, enter 3. For the question:
Specify the attribute you want to map?
[0]: 3, enter 3. Enter the attributes you
want to map to the member attribute:
[memberuid]: member Follow the prompts to finish
the setup.
Select if
you want to create custom search descriptors for any of the supported
name services. Select the service you want to create a custom search
descriptor for. | | | | | NOTE: Custom search descriptors have no relevance for
PAM Kerberos. PAM Kerberos is the only certified authentication
method for LDAP-UX Client Services with Active Directory. | | | | |
A custom search descriptor consists of three parts: a search
base DN, scope, and filter. Use custom search descriptors if you
want clients to search different locations in the directory or to
apply different search filters. For example, some clients might
search for employees only in a particular department. Each service can have up to three different search descriptors.
The client uses the search descriptors in order until it finds what
it is looking for. | | | | | NOTE: The default search base DN for all requests will be
set to the previously specified default search base DN (specified
in step 12), usually the domain root. For very large databases,
search performance can be greatly increased by specifying custom
search descriptors. For example, to search user and group information,
set the search base DN for the user and group services to CN=Users, DC=cup, DC=hp, DC=com.If your search filters overlap, enumeration requests
will result in duplicate entries being returned. For example, if
one search filter searched a subset of your organization and a second
search filter searched your entire organization, an enumeration
request would return duplicate entries. Refer to “Enumeration
Requests”. | | | | |
Enter
Yes to the question Are you
ready to create the Profile Entry?, then press any key
to continue. At this point, you will choose
whether or not to configure for Multiple Domains. If you will not be configuring
for Multiple Domains: continue with step 23. If you will be configuring for Multiple Domains:
enter Yes to the question Do you
wish to configure multiple-domain support? If you will be using Remote Domain Configuration, enter Yes to the next question. If you enter No, skip the remaining comments in this bullet, and proceed
to the next bulleted item. You will be loop through a series of screens which will allow
you to create as many profiles as you wish (one profile will be
created for each pass through the loop). Read the explanation paragraph(s) in the next screen carefully before
answering the question, then enter the appropriate domain name. Next, you will return to step 3 through step 21 of this procedure for
each profile to be created. When you have added as many profiles as you wish, enter No to the question Do you
wish to configure another profile for remote domain? If you will be using the GCS, enter Yes to the next question. If you enter No, then proceed to step 23, below. Next, you will return to step 3 through step 21 of this procedure to
create the profile for the GCS. | | | | | NOTE: When you configure the default search base for the GCS,
you must make sure that the base covers everything that you want
to include. For example, for a forest containing two domain trees (ca.hp.com
and ny.hp.com), if you specify ca.hp.com as the GCS search base, all of the data under the ny.hp.com domain tree will not be found. You must specify hp.com to cover the entire forest. The setup tool provides
the root domain as the default search base. You must override it
in order to cover the entire forest. | | | | |
Read the instructions on each screen, carefully, as some of
the answers to these questions will be different than the last two times
you went through these questions. When you have finished building the profile for the GCS, configure
the profiles for each domain that is used by the global catalog
search. To configure the profiles for each domain that is used by
the global catalog search, you will again return to step 3 through step
21 of this procedure until you have configured each profile needed
by the global catalog search. When this process is complete, continue to the next step.
Reply to
the question, Would you like to start/restart
the LDAP-UX daemon. Starting with LDAP-UX Client Services B.03.20 or later, the
product daemon, /opt/ldapux/bin/ldapclientd,
must be running for LDAP-UX functions to work. With LDAP-UX Client
Services B.03.10 or earlier, running the client daemon, ldapclientd, is optional. For LDAP-UX
Services B.03.10 or earlier, users need to start the LDAP-UX daemon
in order to use multiple domains and X.500 features.
Step
2: Install the PAM Kerberos Product | |
LDAP-UX Client Services with Active Directory uses the Kerberos Authentication
method. If not already available on your system, you will need to
install and configure PAM Kerberos. Some instructions for doing this
are shown later in this step. Additional information can be found
in the Configuration Guide for Kerberos Products on HP-UX,
available at http://docs.hp.com/hpux/internet. For HP-UX 11.0, use swinstall(1M) to install the PAM Kerberos product J5849AA. The
software can be downloaded from http://software.hp.com.
In order to work with LDAP-UX Client Services B.03.00, you need
PAM Kerberos version v1.10 or later. If your system already has
an older version of PAM Kerberos, you need to re-install it with
the new version. For HP-UX 11i, PAM Kerberos is included on the operating system
CD. By default PAM Kerberos is installed with the operating system
unless you deselect it. However, you need to download and install
the latest version (v1.10 or later). Refer to the Configuration Guide for Kerberos Products
in HP-UX Release Notes, available at http://docs.hp.com/hpux/internet for
any last minute changes. You also need to install the required patch, refer to /opt/ldapux/README-LdapUxClient for patch information. The /opt/ldapux/README-LdapUxClient file is available after you install the NativeLdapClient subproduct. Step 3:
Configure Your HP-UX Machine to Authenticate Using PAM Kerberos | |
Create /etc/krb5.conf, the Kerberos configuration file which specifies the
default realm, the location of a Key Distribution Center (KDC) server
and the logging file names. The Kerberos client depends on the configuration
to locate the realm’s KDC. The following is an example
of /etc/krb5.conf which has the realm CUP.HP.COM, and machine myhost.cup.hp.com as KDC: default_realm = CUP.HP.COMdefault_tgs_enctypes = DES-CBC-CRCdefault_tkt_enctypes = DES-CBC-CRCldapux_multidomain = 1 (this line added only if using Mutiple Domains)
ccache_type = 2
[realms]
CUP.HP.COM = {
kdc = MYHOST.CUP.HP.COM:88
kpasswd_server = MYHOST.CUP.HP.COM:464
}
[domain_realm]
cup.hp.com = CUP.HP.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log |
| | | | | NOTE: The permissions of the /etc/krb5.conf file should be set to 644 and ownership should be root
user. | | | | |
For
Multiple Domains For each domain you configure in LDAP-UX, you need
to add its KDC entry into the /etc/krb5.conf file. For a sample file that supports two domains, refer toAppendix E “Sample /etc/krb5.conf File”. Add the Kerberos services
to the /etc/services file if they do not exist yet. A Kerberos client requires
the following entries in the /etc/services file for the Kerberos PAM services: kerberos5 88/udp kdc # Kerberos V5 kdc
kerberos5 88/tcp kdc # Kerberos V5 kdc
kerberos-sec 88/udp kdc # Kerberos V5 kdc
kerberos-sec 88/tcp kdc # Kerberos V5 kdc
kerberos 750/udp kdc # Kerberos V5 kdc
kerberos 750/tcp kdc # Kerberos V5 kdc
klogin 543/tcp # Kerberos rlogin -kfall
kshell 544/tcp cmd # Kerberos remote shell
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 464/udp # Kerberos Password Change protocol
kerberos-cpw 464/tcp # Kerberos Password Change protocol |
Add a host key to the /etc/krb5.keytab file The keytab file is the one described in the previous section on Windows 2000
using ktpass. You need to securely transfer the keytab file previously
created to your HP-UX machine and name it krb5.keytab in the /etc directory. If you already have an existing/etc/krb5.keytab file, merge the new keytab file with the existing one. ktutil is a tool provided with the Kerberos product for you
to maintain the keytab file. | | | | | NOTE: The keytab file should only be readable by the root user. | | | | |
Synchronize the HP-UX clock
to the Windows 2000 clock. These must be synchronized within two
minutes. You can run Network Time Synchronizer to synchronize both
clocks. If the tool is not available, you can manually synchronize
them by setting “Date/Time Properties” on Windows
2000 and running /etc/set_parms date_time on HP-UX. Configure /etc/pam.conf, the PAM configuration file which specifies PAM service
modules for PAM applications, to use PAM Kerberos. To use PAM Kerberos
as authentication module, edit /etc/pam.conf to include the PAM Kerberos library /usr/lib/security/libpam_krb5.1 for all four services: authentication, account management,
session management, and password management. A sample PAM configuration
file can be found in Appendix D “Sample PAM Configuration
File”. | | | | | NOTE: The sample file reflects the recommendation to
keep the root user in /etc/passwd local on each client machine, and to allow for local account
management of the root user. This guarantees local access to the
system in case the network is down. | | | | |
Step 4:
Configure the Name Service Switch (NSS) | |
The Name Service Switch (NSS) needs to be modified to retrieve
your account and group information from Active Directory. Save a copy of the file /etc/nsswitch.conf and edit the original to specify the ldap name service
and other name services you want to use. Refer to /etc/nsswitch.ldap for an example. You may be able to just copy /etc/nsswitch.ldap to/etc/nsswitch.conf. Refer to nsswitch.conf(4) for more information. Step
5: Configure the Disable Login Flag | |
Save a copy of the file /etc/opt/ldapux/dapux_client.conf and edit the original to activate the disable_uid_range flag. Uncomment the flag in the [NSS] portion of the
file and fill in the UID range. The format is disable_uid_range=uid#,[uid#-uid#], .... For example: disable_uid_range=0-100,300-450,89 Step
6: Verify LDAP-UX Client Services for Single Domain | |
This section describes some simple ways you can verify the
installation and configuration of your LDAP-UX Client Services.
You may need to do more elaborate and detailed testing, especially
if you have a large environment. Use
the nsquery (1) command to test the name service: nsquery lookup_type lookup_query [lookup_policy] For example, to test the name service switch to resolve a
username lookup, enter: nsquery passwd username ldap where username is the login name of a valid user whose POSIX account
information is in the directory. You should see output something
like the following depending on how you have configured /etc/nsswitch.conf: Using "files ldap" for the passwd policy.Searching /etc/passwd for jbloggsjbloggs was NOTFOUNDSwitch configuration: Allows fallbackSearching ldap for jbloggsUser name: jbloggsUser Id: 644Group Id: 20
Gecos: John Bloggs,43L-C3,555-1212Home Directory: /home/jbloggsShell: /usr/bin/kshSwitch configuration: Terminates Search |
This tests the NSS configuration in /etc/nsswitch.conf. If you do not see output similar to above, check /etc/nsswitch.conf for proper configuration. Use other commands to display
information about users in the directory, making sure the output
is as expected:
pwget -n username
grget -n groupname
ls -l
| | | | | NOTE: While you can use the following commands to
verify your configuration, these commands enumerate the entire passwd
or group database, which may reduce network and directory server performance
for large databases:
pwget (with no options)
grget (with no options)
listusers
logins | | | | |
Use the beq search
utility to search for the following services: pwd (password), grp (group), shd (shadow password), srv (service), prt (protocol), rpc (RPC), hst (host), net (network), ngp (netgroup), and grm (group membership). An example beq command using name as the search key, grp as the service, and ldap as the library is shown below.
./beq -k n -s grp -l /usr/lib/libnss_ldap.1\
igrp1 |
nss_status........NSS_SUCCESS
pw_name...........(iuser1)
pw_passwd.........(*)
pw_uid............(101)
pw_gid............(21)
pw_age............()
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser1)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0)
|
Refer to “beq Search Tool” in Appendix C “Command, Tool, and
Migration Script Reference” for command syntax and examples. Log in to the client system
from another system using rlogin or telnet. Log in as a user in
the directory and as a user in /etc/passwd to make sure both work. Optionally,
test your pam_authz authorization configuration by following these steps: Log into
the client system from another system using rlogin or telnet. From there log in to the directory as a member from +@netgroup
to verify that pam_authz authorizes you and is working correctly. Log in as a user to the directory
as a member of a-@netgroup to be sure that the system will not authorize you to
login.
Open a new hpterm (1X) window and log in to the client system as a user
whose account information is in the directory. It is important you
open a new hpterm window or log in from another system because if login
does not work, you could be locked out of the system and would have
to reboot to single-user mode. This tests the PAM configuration in /etc/pam.conf. If you cannot log in, check /etc/pam.conf for proper configuration. Also check your directory
to make sure the user account information is accessible by the proxy
user or anonymously, as appropriate. Check your profile to make
sure it looks correct. Also refer to “Troubleshooting” for more information. Use the ls (1) or ll (1) command to examine files belonging to a user whose
account information is in the directory. Make sure the owner and
group of each file are accurate:
ll /tmp
ls -l If any owner or group shows up as a number instead
of a user or group name, the name service switch is not functioning
properly. Check
the file /etc/nsswitch.conf, your directory, and your profile. If you have configured a
multi-domain setup and you want to verify it, execute the following
two steps. Otherwise, continue below with “Step
7: Configure Subsequent Client Systems”. The following steps will verify that LDAP-UX is able
to retrieve data from ADS multiple domains: Create or import
a POSIX user account into an ADS remote domain (for example, the
user account smith, this is identical to how you set it up for a single
domain, except now you put it into a remote domain). If pwget -n smith returns valid data, LDAP-UX is working with ADS multiple
domains. If no data was returned, the setup was not successful.
Step
7: Configure Subsequent Client Systems | |
Once you have configured your directory and one client system,
you can configure subsequent client systems using the following
steps. Modify any of these files as needed. Use swinstall to install LDAP-UX Client Services on the client system.
This requires rebooting the client system. Copy the following files
from a configured client to the client being configured: /etc/opt/ldapux/ldapux_client.conf /etc/opt/ldapux/pcred only if you have configured a proxy user, not if you
are using only anonymous access
Download the profile by running
get_profile_entry as follows:
cd /opt/ldapux/config
./get_profile_entry -s nss -D bindDN -w password If you are using multiple domains, download profiles
for the GCS and each remote domain. Refer to Appendix C “Command, Tool, and
Migration Script Reference”, section titled “The get_profile_entry
Tool” for information about downloading these profiles. Alternatively you could interactively run the setup program
to download the profile from the directory and respond No when prompted to select if you want to change the current
configuration:
cd /opt/ldapux/config
./setup If you are using a proxy
user, configure the proxy user by calling ldap_proxy_config as follows:
cd /opt/ldapux/config
./ldap_proxy_config Refer to “Verify
the LDAP-UX Client Services for Single Domain” for more
information to verify the installation and configuration of your LDAP-UX
Client Services.
|
Printable version
