Hp Ux Ldap Integration Software Administrators Guide
2015-03-28
: Hp Hp-Hp-Ux-Ldap-Ux-Integration-Software-Administrators-Guide-669716 hp-hp-ux-ldap-ux-integration-software-administrators-guide-669716 hp pdf
Open the PDF directly: View PDF 
.
Page Count: 214
| Download | |
| Open PDF In Browser | View PDF |
LDAP-UX Client Services B.04.00
Administrator’s Guide
HP-UX 11i v1, v2 and v3
Edition 5
Manufacturing Part Number : J4269-90071
E0207
© Copyright 2007 Hewlett-Packard Company, L.P.
Legal Notices
The information in this document is subject to change without notice.
Hewlett-Packard makes no warranty of any kind with regard to this
manual, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Hewlett-Packard
shall not be held liable for errors contained herein or direct, indirect,
special, incidental or consequential damages in connection with the
furnishing, performance, or use of this material.
Warranty
A copy of the specific warranty terms applicable to your Hewlett-Packard
product and replacement parts can be obtained from your local Sales and
Service Office.
U.S. Government License
Proprietary computer software. Valid license from HP required for
possession, use or copying. Consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation,
and Technical Data for Commercial Items are licensed to the U.S.
Government under vendor's standard commercial license.
Copyright Notices
Copyright 2006 Hewlett-Packard Company L.P. All rights reserved.
Reproduction, adaptation, or translation of this document without prior
written permission is prohibited, except as allowed under the copyright
laws.
Trademark Notices
UNIX is a registered trademark in the United States and other
countries, licensed exclusively throughThe Open Group.
NIS is a trademark of Sun Microsystems, Inc.
Netscape and Netscape Directory Server are registered trademarks of
Netscape Communications Corporation in the United States and other
countries. Other product and brand names are trademarks of their
respective owners.
ii
Contents
1. Introduction
Overview of LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
How LDAP-UX Client Services Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Installing And Configuring LDAP-UX Client Services
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Summary of Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Plan Your Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Install LDAP-UX Client Services on a Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure Your Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Import Name Service Data into Your Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Steps to Importing Name Service Data into Your Directory . . . . . . . . . . . . . . . . . . . 26
Configure the LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Quick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Custom Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configure the LDAP-UX Client Serivces with SSL Support . . . . . . . . . . . . . . . . . . . . 41
Configuring the LDAP-UX Client to Use SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configure LDAP-UX Client Services with Publickey Support . . . . . . . . . . . . . . . . . . . 46
HP-UX Enhanced Publickey-LDAP Software Requirement on HP-UX 11i v1 or v2 46
Extending the Publickey Schema into Your Directory . . . . . . . . . . . . . . . . . . . . . . . 48
Admin Proxy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Setting ACI for Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring serviceAuthenticationMethod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuring Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
AutoFS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
AutoFS Patch Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Automount Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Attribute Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring Name Service Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
AutoFS Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Verify the LDAP-UX Client Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configure Subsequent Client Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Download the Profile Periodically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Use r-command for PAM_LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3. LDAP Printer Configurator Support
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
iii
Contents
How the LDAP Printer Configurator works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Printer Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Printer Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing the LP printer configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limitations of Printer Configurator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
82
85
86
86
88
91
4. Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
ldapclientd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
ldapclientd.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Integrating with Trusted Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Features and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuration Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
PAM_AUTHZ Login Authorization Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Policy And Access Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
How Login Authorization Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Constructing an Access Rule in pam_authz.policy . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Policy Validator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Adding a Directory Replica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Displaying the Proxy User’s DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Verifying the Proxy User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Creating a New Proxy User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Displaying the Current Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Creating a New Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Modifying a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Changing Which Profile a Client Is Using . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Changing from Anonymous Access to Proxy Access . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Changing from Proxy Access to Anonymous Access . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Minimizing Enumeration Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Client Daemon Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
iv
Contents
ldapclientd Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ldapclientd Persistent Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling and Disabling LDAP-UX Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling and Disabling PAM Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Netscape Directory Server Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Cannot Log on to Client System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
126
130
131
131
132
133
133
5. Command and Tool Reference
The LDAP-UX Client Services Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Client Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The create_profile_entry Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The create_profile_cache Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The create_profile_schema Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The display_profile_cache Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The get_profile_entry Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The ldap_proxy_config Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
beq Search Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The uid2dn Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The get_attr_map.pl Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LDAP Directory Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ldapentry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ldapsearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ldapmodify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ldapdelete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
certutil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding One or More Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Name Service Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Naming Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migrating All Your Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Migrating Individual Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The ldappasswd Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
138
143
143
143
144
144
145
146
150
150
151
153
154
154
155
157
158
158
158
159
160
160
161
161
164
166
166
167
v
Contents
6. User Tasks
To Change Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
To Change Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
7. Mozilla LDAP C SDK
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
The Mozilla LDAP C SDK File Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
A. Configuration Worksheet
B. LDAP-UX Client Services Object Classes
Profile Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
C. Sample /etc/pam.ldap.trusted file
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
vi
Tables
Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Table 1-1. Examples of Commands and Subsystems that use PAM and NSS . . . . . . 4
Table 2-1. Configuration Parameter Default Values . . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 2-2. Enhanced Publickey-LDAP Software for HP-UX 11i v1 or v2 . . . . . . . . . 47
Table 2-3. Patch Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Table 2-4. Attribute Mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 2-5. Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Table 4-1. Field Syntax in an Access Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Table 4-2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Table 5-1. LDAP-UX Client Services Components . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Table 5-2. LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i v1 PA
machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Table 5-3. LDAP-UX Client Services Libraries on the HP-UX 11i v2 PA machine 141
Table 5-4. LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA machine. 142
Table 5-5. Default Naming Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Table 5-6. Migration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Table 7-1. Mozilla LDAP C SDK File Components on the PA machine . . . . . . . . . 177
Table 7-2. Mozilla LDAP C SDK File Components on the IA machine. . . . . . . . . . 178
Table 7-3. Mozilla LDAP C SDK API Header Files . . . . . . . . . . . . . . . . . . . . . . . . . 180
Table A-1. LDAP-UX Client Services Configuration Worksheet . . . . . . . . . . . . . . . 183
Table A-2. LDAP-UX Client Services Configuration Worksheet Explanation . . . . 184
vii
Tables
viii
Figures
Figure 1-1. A Simplified NIS Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Figure 1-2. A Simplified LDAP-UX Client Services Environment . . . . . . . . . . . . . . . 3
Figure 1-3. A Simplified LDAP-UX Client Services Environment . . . . . . . . . . . . . . . 5
Figure 1-4. The Local Start-up File and the Configuration Profile . . . . . . . . . . . . . . . 7
Figure 2-1. Example Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 3-1. Printer Configurator Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Figure 4-1. PAM_AUTHZ Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Figure 6-1. Cannot Change Passwords on Replica Servers . . . . . . . . . . . . . . . . . . . 170
Figure 6-2. Changing Passwords on Master Server with ldappasswd . . . . . . . . . . 171
Figure 6-3. Sample passwd Command Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
ix
Figures
x
Preface: About This Document
The latest version of this document can be found on line at:
http://www.docs.hp.com
This document describes how to install and configure LDAP-UX Client
Services product on HP-UX platforms.
The document printing date and part number indicate the document’s
current edition. The printing date will change when a new edition is
printed. Minor changes may be made at reprint without changing the
printing date. The document part number will change when extensive
changes are made.
Document updates may be issued between editions to correct errors or
document product changes. To ensure that you receive the updated or
new editions, you should subscribe to the appropriate product support
service. See your HP sales representative for details.
Intended Audience
This document is intended for system and network administrators
responsible for installing, configuring, and managing the LDAP-UX
Client Services. Administrators are expected to have knowledge of the
LDAP-UX Client Services Integration product.
New and Changed Documentation in This
Edition
This edition documents the following new information for the LDAP-UX
Client Services version B.04.00:
•
Support the automount service under the AutoFS subsystem. This
new feature allows you to store and manage the automount maps in
the LDAP directory server.
•
Support discovery and and management of publickeys in an LDAP
directory.
•
Provide the pam_authz login authorization enhancements. This new
feature allows you to define access rules in the local policy file,
/etc/opt/ldapux/pam_authz.policy.
xi
•
Support NIS+ migration scripts that can be used to migrate from an
NIS+ domain into an LDAP directory server.
•
Support Mozilla LDAP C SDK 5.14.1 which contains a set of LDAP
Application Programming Interfaces (API) to allow you to build
LDAP-enabled clients.
Publishing History
Table 1
Publishing History Details
Document
Manufacturing
Part Number
Operating
Systems
Supported
Supported
Product
Versions
Publicatio
n Date
J4269-90016
11.0, 11i
B.03.00
September
2002
J4269-90030
11.0, 11i v1
and v2
B.03.20
October
2003
J4269-90038
11.0, 11i v1
B.03.30
July 2004
J4269-90040
11.0, 11i v1
and v2
B.03.30
September
2004
J4269-90048
11i v1 and v2
B.04.00
July 2005
J4269-90051
11i v1 and v2
B.04.00
August 2005
J4269-90053
11i v1 and v2
B.04.00
June 2006
J4269-90071
11i v1, v2 and
v3
B.04.00
February
2007
What’s in This document
This manual describes how to install, configure and administer the
LDAP-UX Client Services software product.
The manual is organized as follows:
Chapter 1
xii
Introduction Use this chapter to learn the LDAP-UX
Client Services product features, components and
client administration tools.
Chapter 2
Installing And Configuring LDAP-UX Client
Services Use this chapter to learn how to install,
configure, and use the LDAP-UX Client Services
software.
Chapter 3
LDAP Printer Configurator Support Use this
chapter to learn how to set up, configure, and use the
printer configurator.
Chapter 4
Administering LDAP-UX Client Services Use this
chapter to understand how to administer your
LDAP-UX Clients to keep them running smoothly and
expand them as your computing environment expands.
Chapter 5
Command and Tool Reference Use this chapter to
learn about the commands and tools associated with
the LDAP-UX Client Services product.
Chapter 6
User Tasks Use this chapter to learn how to change
passwords and personal information.
Chapter 7
Mozilla LDAP C SDK Use this chapter to learn the
Mozilla LDAP SDK software features and its major file
components.
xiii
Typographical Conventions
This document uses the following conventions.
Book Title
The title of a book. On the web and on the Instant
Information CD, it may be a hot link to the book itself.
Emphasis
Text that is emphasized.
Bold
Text that is strongly emphasized.
Bold
The defined use of an important word or phrase.
ComputerOut
Text displayed by the computer.
UserInput
Commands and other text that you type.
Command
A command name or qualified command phrase.
Variable
The name of a variable that you may replace in a
command or function or information in a display that
represents several possible values.
[ ]
The contents are optional in formats and command
descriptions. If the contents are a list separated by |,
you must choose one of the items.
{ }
The contents are required in formats and command
descriptions. If the contents are a list separated by |,
you must choose one of the items.
\
The continuous line symbol.
HP Encourages Your Comments
HP encourages your comments concerning this document. We are truly
committed to providing documentation that meets your needs.
Please send comments to: netinfo_feedback@cup.hp.com
Please include document title, manufacturing part number, and any
comment, error found, or suggestion for improvement you have
concerning this document. Also, please include what we did right so we
can incorporate it into other documents.
xiv
1
Introduction
LDAP-UX Client Services simplifies HP-UX system administration by
consolidating account and configuration information into a central LDAP
directory. This LDAP directory could reside on an HP-UX system such as
Netscape Directory Server 6.x, or the account information could be
integrated in Windows 2000/2003 Active Directory.
Information provided in this manual outlines the installation and
administration tasks of LDAP-UX Client Services with HP-UX based
LDAP directories such as Netscape Directory Server 6.x.
For information on the integration of LDAP-UX Client Services with
Windows 2000/2003 Active Directory, see LDAP-UX with Microsoft
Windows 2000/2003 Active Directory Administrator’s Guide
(J4269-90041) at http://docs.hp.com/hpux/internet.
This chapter introduces LDAP-UX Client Services and briefly describes
how it works.
Overview of LDAP-UX Client Services
Traditionally, HP-UX account and configuration information is stored in
text files, for example, /etc/passwd and /etc/group. NIS was developed to
ease system administration by sharing this information across systems
Chapter 1
1
Introduction
Overview of LDAP-UX Client Services
on the network. With NIS, account and configuration information resides
on NIS servers. NIS client systems retrieve this shared configuration
information across the network from NIS servers, as shown below:
Figure 1-1
A Simplified NIS Environment
NIS master server
Map transfers
NIS slave server
NIS slave server
NIS Requests
NIS client
NIS client
NIS client
LDAP-UX Client Services improves on this configuration information
sharing. HP-UX account and configuration information is stored in an
LDAP directory, not on the local client system. Client systems retrieve
this shared configuration information across the network from the LDAP
2
Chapter 1
Introduction
Overview of LDAP-UX Client Services
directory, as shown below. LDAP adds greater scalability,
interoperability with other applications and platforms, and less network
traffic from replica updates.
Figure 1-2
A Simplified LDAP-UX Client Services Environment
LDAP Directory
Server
Updates
LDAP Directory
Server Replica
LDAP Requests
LDAP-UX client
LDAP-UX client
LDAP-UX Client Services supports the following name service data:
passwd, groups, hosts, rpc, services, networks, protocols, publickeys,
automount, netgroup. See the LDAP-UX Integration B.04.00 Release
Notes for any additional supported services.
How LDAP-UX Client Services Works
LDAP-UX Client Services works by leveraging the authentication
mechanism provided in the Pluggable Authentication Module, or PAM,
and the naming services provided by the Name Service Switch, or NSS.
See pam(3), pam.conf(4), and Managing Systems and Workgroups at
http://docs.hp.com/hpux/os for information on PAM. For information on
NSS, see switch(4) and “Configuring the Name Service Switch” in
Installing and Administering NFS Services at
http://docs.hp.com/hpux/communications/#NFS.
These extensible mechanisms allow new authentication methods and
new name services to be installed and used without changing the
underlying HP-UX commands. And, by supporting the PAM architecture,
the HP-UX client becomes truly integrated in the LDAP environment.
The PAM_LDAP library allows the HP-UX system to use the LDAP
directory as a trusted server for authentication. This means that
Chapter 1
3
Introduction
Overview of LDAP-UX Client Services
passwords may not only be stored in any syntax but also means that
passwords may remain hidden from view (preventing a decryption attack
on the hashed passwords). Because passwords may be stored in any
syntax, HP-UX will be able to share passwords with other LDAP-enabled
applications.
With LDAP-UX Client Services B.03.20 or later versions, the client
daemon, ldapclientd, becomes the center of the product. It supports
all NSS backend services for LDAP and data enumeration. It also
supports PAM_LDAP for authentication and password change.
With LDAP-UX Client Services, HP-UX commands and subsystems can
transparently access name service information from the LDAP directory
through ldapclientd. The following table shows some examples of
commands and subsystems that use PAM and NSS:
Table 1-1
Examples of Commands and Subsystems
that use PAM and NSS
Commands that use
NSS
Commands that use PAM and
NSS
ls
login
nsquerya
passwd
who
ftp
whoami
su
fingerb
rlogin
id
telnet
logname
dtlogin
groupsb
remsh
newgrpb
pwgetb
grgetb
listusersb
4
Chapter 1
Introduction
Overview of LDAP-UX Client Services
Table 1-1
Examples of Commands and Subsystems
that use PAM and NSS (Continued)
Commands that use
NSS
Commands that use PAM and
NSS
loginsb
nslookup
a. nsquery(1) is a contributed tool included with the
ONC/NFS product.
b. These commands enumerate the entire passwd or
group database, which may reduce network and
directory server performance for large databases.
Figure 1-3
A Simplified LDAP-UX Client Services Environment
LDAP Directory
Server
LDAP
requests
LDAP C SDK
PAM
ldapclientd
NSS
ls, who,
etc.
login, ftpd,
etc.
LDAP-UX client
In addition, the getpwent(3C) and getgrent(3C) family of system calls get
user and group information from the directory.
Chapter 1
5
Introduction
Overview of LDAP-UX Client Services
After you install and configure an LDAP directory and migrate your
name service data into it, HP-UX client systems locate the directory from
a “start-up file.” The start-up file tells the client system how to download
a “configuration profile” from the LDAP directory. The configuration
profile is a directory entry containing configuration information common
to many clients. Storing it in the directory lets you maintain it in one
place and share it among many clients rather than storing it
redundantly across the clients. Because the configuration information is
stored in the directory, all each client needs to know is where its profile
is, hence the start-up file. Each client downloads the configuration profile
from the directory.
The profile is an entry in the directory containing details on how clients
are to access the directory, such as:
6
•
where and how clients should search the directory for user, group
and other name service information.
•
how clients should bind to the directory: anonymously or as a proxy
user. Anonymous access is simplest. Configuring a proxy user adds
some security, but at the same time it adds the overhead of managing
the proxy user.
•
other configuration parameters such as search time limits.
Chapter 1
Introduction
Overview of LDAP-UX Client Services
Figure 1-4
The Local Start-up File and the Configuration Profile
LDAP Directory
Configuration
profile
The start-up file points
to the configuration
profile in the directory.
Start-up
file
The shared configuration
profile is stored in the
directory and downloaded
to all LDAP-UX clients.
Configuration
profile
LDAP-UX client
The following chapter describes in detail how to install, configure, and
verify LDAP-UX Client Services.
Chapter 1
7
Introduction
Overview of LDAP-UX Client Services
8
Chapter 1
2
Installing And Configuring
LDAP-UX Client Services
This chapter describes the decisions you need to make and the steps to
install Netscape and configure LDAP-UX Client Services. This chapter
contains the following sections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
“Before You Begin” on page 9.
“Summary of Installing and Configuring” on page 10.
“Plan Your Installation” on page 12.
“Install LDAP-UX Client Services on a Client” on page 20.
“Configure Your Directory” on page 21.
“Import Name Service Data into Your Directory” on page 25.
“Configure the LDAP-UX Client Services” on page 27.
“Configure the LDAP-UX Client Serivces with SSL Support” on
page 41.
“Configure LDAP-UX Client Services with Publickey Support” on
page 46.
“AutoFS Support” on page 55.
“Verify the LDAP-UX Client Services” on page 68.
“Configure Subsequent Client Systems” on page 72.
“Download the Profile Periodically” on page 74.
“Use r-command for PAM_LDAP” on page 76.
Before You Begin
This section lists some things to keep in mind as you plan your
installation.
Chapter 2
•
Use the configuration worksheet to record your decisions and other
information you’ll need later for configuration in Appendix A,
“Configuration Worksheet,” on page 183.
•
See the LDAP-UX Integration B.04.00 Release Notes (J4269-90042)
at http://docs.hp.com/hpux/internet for last-minute information.
•
You must have an LDAP directory. You can obtain the Netscape
Directory Server for HP-UX version 6.x from your local HP sales
office or www.hp.com and view the documentation at
http://docs.hp.com/hpux/internet/#Netscape%20Directory%20Server.
9
Installing And Configuring LDAP-UX Client Services
Summary of Installing and Configuring
•
See the white paper Preparing Your Directory for HP-UX Integration
at http://docs.hp.com/hpux/internet for advice on how to set up and
configure your directory to work with HP-UX.
•
Most examples here use the Netscape Directory Server for HP-UX
version 6.x and assume you have some knowledge of this directory
and its tools, such as the Directory Console and ldapsearch. If you
have another directory, consult your directory’s documentation for
specific information.
•
For details on how to integrate LDAP-UX Client Services with
Windows 2000 Active Directory, please refer to LDAP-UX Client
Services with Microsoft Windows 2000/2003 Active Directory
Administrator’s Guide (J4269-90041) at
http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration.
•
The examples use a base DN of o=hp.com for illustrative purposes.
Summary of Installing and Configuring
The following summarizes the steps you take when installing and
configuring an LDAP-UX Client Services environment.
10
•
See “Plan Your Installation” on page 12.
•
Install LDAP-UX Client Services on each client system. See “Install
LDAP-UX Client Services on a Client” on page 20.
•
Install and configure an LDAP directory, if not already done. See
“Configure Your Directory” on page 21.
•
Configure your LDAP server to support SSL if you attempt to enable
SSL support with LDAP-UX.
•
Migrate your name service data to the directory. See “Import Name
Service Data into Your Directory” on page 25.
•
Install and set up the security database files on the LDAP-UX client
system if you want to enable SSL support with LDAP-UX. See
“Configure the LDAP-UX Client Serivces with SSL Support” on
page 41.
Chapter 2
Installing And Configuring LDAP-UX Client Services
Summary of Installing and Configuring
•
Run the setup program to configure LDAP-UX Client Services on a
client system. Setup does the following for you:
— Extends your Netscape directory schema with the configuration
profile schema, if not already done.
— Imports the LP printer schema into your LDAP directory server
if you choose to start the LDAP printer configurator.
— Imports the publickey schema into your LDAP directory if you
choose to store the public keys of users and hosts in the LDAP
directory.
— Imports the automount schema into your LDAP directory server
if you choose to store the AutoFS maps in the LDAP directory.
— Creates a start-up file on the client. This enables each client to
download the configuration profile.
— Creates a configuration profile of directory access information in
the directory, to be shared by a group of (or possibly all) clients.
— Downloads the configuration profile from the directory to the
client.
— Start the product daemon, ldapclientd, if you choose to start it.
Starting with LDAP-UX Client B.03.20 or later, the client
daemon must be started for LDAP-UX functions to work. With
LDAP-UX Client B.03.10 or earlier, running the client daemon is
optional.
See “Configure the LDAP-UX Client Services” on page 27.
Chapter 2
•
Modify the files /etc/pam.conf and /etc/nsswitch.conf on the client to
specify LDAP authentication and name service, respectively. See
“Configure the LDAP-UX Client Services” on page 27.
•
Optionally modify the disable_uid_range flag in the
/etc/opt/ldapux/ldapux_client.conf file to disable logins to the local
system from specific ldap users.
•
Optionally modify the /etc/opt/ldapux/pam_authz.policy and
/etc/pam.conf files to verify the user access rights of a subset of
users in a large repository needing access, if appropriate. See the
pam_authz(5) man page for the command syntax.
•
Verify each client is working properly. See “Verify the LDAP-UX
Client Services” on page 68.
•
See also “Configure Subsequent Client Systems” on page 72 for some
shortcuts.
11
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
Plan Your Installation
Before beginning your installation, you should plan how you will set up
and verify your LDAP directory and your LDAP-UX Client Services
environment before putting them into production. Consider the following
questions. Record your decisions and other information you’ll need later
in Appendix A, “Configuration Worksheet,” on page 183.
•
How many LDAP directory servers and replicas will you need?
Each client system binds to an LDAP directory server containing
your user, group, and other data. Multiple clients can bind to a single
directory server or replica server. The answer depends on your
environment, the size and configuration of your directory and how
many users and clients you have.Write your directory server host
and TCP port number in Appendix A, “Configuration Worksheet,” on
page 183. See the white paper Preparing Your Directory for HP-UX
Integration at: http://docs.hp.com/hpux/internet for more
information.
See the Netscape Directory Server Deployment Guide for more
information. You can add directory replicas to an existing LDAP-UX
Client Services environment as described under “Adding a Directory
Replica” on page 118. You may also want to review the LDAP-UX
performance white paper at http://docs.hp.com/hpux/internet.
•
Where will you get your name service data from when migrating it to
the directory?
You can get it from your files in the /etc directory or, if you are using
NIS, from the same source files you create your NIS maps from, or
you can get it from your NIS maps themselves. Write this
information in Appendix A, “Configuration Worksheet,” on page 183.
See “Import Name Service Data into Your Directory” on page 25 for
how to import your information into the directory and “Name Service
Migration Scripts” on page 160 for details on the migration scripts.
To add an individual user entry or modify an existing user entry in
your directory, you can use the ldapmodify command or other
directory administration tools such as the Netscape Console. See also
the LDAP-UX Integration B.03.20 Release Notes for additional
contributed tools.
12
Chapter 2
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
NOTE
You should keep a small subset of users in /etc/passwd, particularly
the root login. This allows administrative users to log in during
installation and testing. Also, if the directory is unavailable you can
still log in to the system.
•
Where in your directory will you put your name service data?
Your directory architect needs to decide where in your directory to
place your name service information. LDAP-UX Client Services by
default expects user and group data to use the object classes and
attributes specified by RFC 2307. The migration scripts by default
create and populate a new subtree that conforms to RFC 2307.
Figure 2-1 on page 15 shows a base DN of ou=unix,o=hp.com. Write
the base DN of your name service data in Appendix A,
“Configuration Worksheet,” on page 183.
If you prefer to merge your name service data into an existing
directory structure, you can map the standard RFC 2307 attributes
to alternate attributes. See “LDAP-UX Client Services Object
Classes” on page 187 for more information.
•
How will you put your user, group, and other data into your
directory?
LDAP supports group membership defined in the X.500 syntax
(using the member or uniquemember attribute), while still
supporting the RFC 2307 syntax (using the memberuid attribute).
This new group membership syntax increases LDAP-UX integration
with LDAP and other LDAP-based applications, and may reduce
administration overhead eliminating the need to manage the
memberuid attribute. In addition, a new performance improvement
has been made through the addition of a new caching daemon which
caches passwd, group and X.500 group membership information
retrieved from an LDAP server. This significantly reduces
LDAP-UX’s response time to applications. In addition, the daemon
re-uses connections for LDAP queries and maintains multiple
connections to an LDAP server to improve performance.
The migration scripts provided with LDAP-UX Client Services can
build and populate a new directory subtree for your user and group
data.
Chapter 2
13
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
If you merge your data into an existing directory, for example to
share user names and passwords with other applications, the
migration scripts can create LDIF files of your user data, but you will
have to write your own scripts or use other tools to merge the data
into your directory. You can add the posixAccount object class to your
users already in the directory to leverage your existing directory
data.
See “Import Name Service Data into Your Directory” on page 25 for
how to import your information into the directory and “Name Service
Migration Scripts” on page 160 for details on the migration scripts.
CAUTION
If you place a root login in the LDAP directory, that user and
password will be able to log in as root to any client using LDAP-UX
Client Services. Keeping the root user in /etc/passwd on each client
system allows the root user to be managed locally. This can be
especially useful if the network is down because it allows local access
to the system.
It is not recommended that you put the same users both in
/etc/passwd and in the directory. This could lead to conflicts and
unexpected behavior.
•
How many profiles do you need?
A configuration profile is a directory entry that contains
configuration information shared by a group of clients. The profile
contains the information clients need to access user and group data
in the directory, for example:
—
—
—
—
Your directory server hosts
Where user, group, and other information is in the directory
The method clients use to bind to the directory
Other configuration parameters such as search time limits
If these parameters are the same for all your clients, you would need
only one profile. You will need at least one profile per directory server
or replica. In general, it is a good idea to have as few profiles as
necessary to simplify maintenance. Look at the posixNamingProfile
object class in Appendix B, “LDAP-UX Client Services Object
Classes,” on page 187 to see what is in a profile to decide how many
different profiles you need.
14
Chapter 2
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
If you are familiar with NIS, one example is to create a separate
profile for each NIS domain.
•
Where in your directory will you put your profile?
The profile contains directory access information. It specifies how
and where clients can find user and group data in the directory. You
can put the profile anywhere you want as long as the client systems
can read it. For example, you might put it near your user data, or in a
separate administrative area. You should put the profile in the same
directory as your user and group data to simplify access permissions.
Clients must have access to both the profile and the user and group
data. The following example shows a configuration profile DN of
cn=profile1,ou=profiles,ou=devices,ou=unix,o=hp.com.
Figure 2-1
Example Directory Structure
o=hp.com
ou=unix
ou=people
user
data
ou=groups
group
data
ou=profiles
ou=hosts
profile1
host
data
Write your configuration profile DN on the worksheet in Appendix A,
“Configuration Worksheet,” on page 183.
•
By what method will client systems bind to the directory?
Clients can bind to the directory anonymously. This is the default
and is simplest to administer. If you need to prevent access to your
data from anonymous users or your directory does not support
anonymous access, you can use a proxy user. If you configure a proxy
user, you can also configure anonymous access to be attempted in the
event the proxy user fails.
Write your client access method and proxy user DN, if needed, on the
worksheet in Appendix A, “Configuration Worksheet,” on page 183.
Chapter 2
15
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
•
How will you increase the security level of the product to prevent an
unwanted user from logging in to the system via LDAP? What is the
procedure to set up increased login security?
The default is to allow all users stored in the LDAP directory to
login. To disallow specific users to login to a local system, you will
have to configure the disable_uid_range flag in
/etc/opt/ldapux/ldapux_client.conf file. There are two sections in this
file, the [profile] section and the [NSS] section. HP recommends that
you do not edit the [profile] section. The [NSS] section contains the
disable_uid_range flag along with two logging flags. For example, the
flag might look like this: disable_uid_range=0-100, 300-450, 89.
Another common example would be to disable root access This flag
would look like this: disable_uid_range=0.
When the disable_uid_range is turned on, the disabled uid will not
be displayed when you run commands such as pwget, listusers,
logins, etc.
NOTE
The passwd command may still allow you to change a password for a
disabled user when alternative authentication methods, such as
PAM Kerberos, are used since LDAP does not control these
subsystems.
•
What PAM authentication will you use? How will you set up
/etc/pam.conf? What other authentication do you want to use & in
what order?
PAM is the Pluggable Authentication Module, providing
authentication services. You can configure PAM to use ldap,
Kerberos, or other traditional UNIX locations (for example files, NIS,
NIS+) as controlled by NSS. See pam(3), pam.conf(4), and Managing
Systems and Workgroups at http://docs.hp.com/hpux/os for more
information on PAM.
It is recommended you use HP-UX file-based authentication first,
followed by LDAP or other authentication. /etc/pam.ldap is an
example of this configuration. With this configuration, PAM uses
traditional authentication first, searching /etc/passwd when any user
logs in, then attempts to authenticate to the directory if the user is
16
Chapter 2
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
not in /etc/passwd. If you have a few users in /etc/passwd, in
particular the root user, and if the directory is unavailable, you can
still log in to the client as a user in /etc/passwd.
•
Do you want to use SSL for secure communication between LDAP
clients and Netscape Directory servers?
LDAP-UX Client Services B.03.20 or later supports SSL with
password as the credential, using either simple or DIGEST-MD5
authentication (DIGEST-MD5 for the Netscape Directory Server
only) to ensure confidentiality and data integrity between the clients
and servers. By default, SSL is disabled. For detailed information,
refer to “Configure the LDAP-UX Client Serivces with SSL Support”
on page 41.
•
What authentication method will you use when you choose to enable
SSL?
You have a choice between SIMPLE with SSL (the default), or SASL
DIGEST-MD5 with SSL.
•
What authentication method will you use when you choose to not
enable SSL?
You have a choice between SIMPLE (the default), or SASL
DIGEST-MD5. SASL DIGEST-MD5 improves security, preventing
snooping over the network during authentication.
Using the DIGEST-MD5 authentication, the password must be
stored in the clear text in the LDAP directory.
•
Do you want to import the LDAP printer schema if you choose to
start the printer configurator?
LDAP-UX Client Services B.03.20 or later provides the integration
with the LDAP printer configurator to simplify the LP printer
management by updating LP printer configuration automatically on
your client system. A new printer schema, which is based on
IETF, is required to start the
services.
Chapter 2
17
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
IMPORTANT
If you attempt to use this new feature, in the ldapclientd.conf
file, the start configuration parameter of the printer services
section must be set to “yes”. If the start option is enabled, the
printer configurator will start when ldapclientd is initialized. By
default, the start parameter is enabled.
•
Do you want to import the publickey schema into your LDAP
directory if you choose to store and manage publickeys in the LDAP
directory.
LDAP-UX Client Services B.04.00 supports discovery and
management of publickeys in an LDAP directory. Both public and
private (secret) keys, used by the SecureRPC API can be stored in
user and host entries in an LDAP directory server, using the
nisKeyObject objectclass.
•
Do you want to import the automount schema into your LDAP
directory server if you choose to store and manage automount maps
in the LDAP directory?
LDAP-UX Client Services B.04.00 supports the automount service
under the AutoFS subsystem. This new feature allows you to store or
retrieve automount maps in/from an LDAP directory. LDAP-UX
Client Services supports the new automount schema based on
RFC2307-bis. The nisObject automount schema can also be used if
configured via attribute mappings.
The setup program will import the new automount schema into your
Netscape Directory Server. An obsolete automount schema is shipped
with the Netscape Directory Server version 6.x. You must manually
delete the obsolete automount schema before the setup program can
successfully import the new automount schema into the LDAP
directory.
For the detailed information about AutoFS with LDAP support, see
“AutoFS Support” on page 55.
•
What name services will you use? How will you set up
/etc/nsswitch.conf? What order do you want NSS to try services?
NSS is the Name Service Switch, providing naming services for user
names, group names, and other information. You can configure NSS
to use files, ldap, or NIS in any order and with different parameters.
18
Chapter 2
Installing And Configuring LDAP-UX Client Services
Plan Your Installation
See /etc/nsswitch.ldap for an example nsswitch.conf file using files
and ldap. See switch(4) and “Configuring the Name Service Switch”
in Installing and Administering NFS Services at http://docs.hp.com
for more information.
It is recommended you use files first, followed by LDAP for passwd,
group and other supported name services. With this configuration,
NSS will first check files, then check the directory if the name service
data is not in the respective files. /etc/nsswitch.ldap is an example of
this configuration.
•
Do you need to configure login authorization for a subset of users
from a large repository such as an LDAP directory? How will you set
up the /etc/opt/ldapux/pam_authz.policy and /etc/pam.conf
files to implement this feature?
The pam_authz service module for PAM provides functionality that
allows the administrator to control who can login to the system.
These modules are located at /usr/lib/security/libpam_authz.1 on the
HP 9000 machine and at libpam_authz.so.1 on the Integrity (ia64)
machine. pam_authz has been created to provide access control
similar to the netgroup filtering feature that is performed by NIS.
These modules are located at /usr/lib/security/libpam_authz.1 on the
HP 9000 machine (libpam_authz.so.1 on the Integrity (ia64)
machine). Starting with LDAP-UX Client Services B.04.00,
pam_authz has been enhanced to allow system administrators to
configure and customize their local access rules in a local policy file,
/etc/opt/ldapux/pam_authz.policy. pam_authz uses these
access control rules defined in the
/etc/opt/ldapux/pam_authz.policy file to control the login
authorization. pam_authz is intended to be used when NIS is not
used, such as when the pam_ldap or pam_kerberos authentication
modules are used. Because pam_authz doesn’t provide
authentication, it doesn’t verify if a user account exists.
Starting with LDAP-UX Client Services B.04.00, if the
/etc/opt/ldapux/pam_authz.policy file does not exist in the
system, pam_authz provides access control based on the netgroup
information found in the /etc/passwd and /etc/netgroup files. If
the /etc/opt/ldapux/pam_authz.policy file exists in the system,
pam_authz uses the access rules defined in the policy file to
determine who can login to the system.
Chapter 2
19
Installing And Configuring LDAP-UX Client Services
Install LDAP-UX Client Services on a Client
For detailed information on this feature and how to configure the
/etc/opt/ldapux/pam_authz.policy file, see “PAM_AUTHZ Login
Authorization Enhancement” on page 109 or the pam_authz(5) man
page.
•
How will you communicate with your user community about the
change to LDAP?
For the most part, your user community should be unaffected by the
directory. Most HP-UX commands will work as always. However, for
some LDAP directories (such as Netscape Directory Server 6.x), data
in replica servers cannot be modified. The passwd(1) command will
not work on clients configured to use such a directory replica. See “To
Change Passwords” on page 169 for how you can use ldappasswd(8)
in this situation.
Check the Release Notes for any other limitations and tell your users
how they can work around them.
Install LDAP-UX Client Services on a Client
Use swinstall(1M) to install the LDAP-UX Client Services software, the
NativeLdapClient subproduct, on a client system. See the LDAP-UX
Integration B.04.00 Release Notes for any last-minute changes to this
procedure. You don’t need to reboot your system after installing the
product.
NOTE
Starting with LDAP-UX Client Services B.03.20 or later, system reboot is
not required after installing the product.
NOTE
For the HP 9000 and Integrity (ia64) client systems, you need to install
the required patches. For the detailed information about the required
patches, refer to “LDAP-UX Client Services B.04.00 Release Notes at:
http://www.docs.hp.com.
20
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure Your Directory
Configure Your Directory
This section describes how to configure your directory to work with
LDAP-UX Client Services. Examples are given for Netscape Directory
Server for HP-UX version 6.x. See the LDAP-UX Integration B.04.00
Release Notes for information on supported directories. If you have a
different directory, see the documentation for your directory for details
on how to configure it.
See Preparing Your LDAP Directory for HP-UX Integration at
http://docs.hp.com/hpux/internet for more details on directory
configuration.
Step 1. Install the posix schema (RFC 2307) into your directory.
If you have Netscape Directory Server for HP-UX version 4.0, or later,
the posix schema is already installed.
The schema is in the file /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf. For
information on the posix schema (RFC 2307), see
http://www.ietf.org/rfc.html. RFC 2307 consists of object classes such as:
posixAccount, posixGroup, shadowAccount, etc. posixAccount represents
a user entry from /etc/passwd. posixGroup represents a group entry from
/etc/group. And shadowAccount provides additional user information for
added security.
Step 2. Restrict write access to certain passwd (posixAccount) attributes of the
posix schema.
CAUTION
Make sure you restrict access to the attributes listed below. Allowing
users to change them could be a security risk
Grant write access of the uidnumber, gidnumber, homedirectory, and uid
attributes only to directory administrators; disallow write access by all
other users. You may want to restrict write access to other attributes in
the passwd (posixAccount) entry as well.
Chapter 2
21
Installing And Configuring LDAP-UX Client Services
Configure Your Directory
With Netscape Directory Server for HP-UX, you can use the Netscape
Console or ldapmodify to set up access control instructions (ACI) so
ordinary users cannot change these attributes in their passwd entry in
the directory.
The following access control instruction is by default at the top of the
directory tree for a 6.x Netscape directory. This ACI allows a user to
change any attribute in their passwd entry:
aci: (targetattr = “*”) (version 3.0; acl “Allow self entry modification”;
allow (write)userdn = “ldap:///self”;)
You could modify this example ACI to the following, which prevents
ordinary users from changing their uidnumber, gidnumber,
homedirectory, and uid attributes:
aci: (targetattr != “uidnumber || gidnumber || homedirectory || uid”) (version
3.0; acl “Allow self entry modification, except for important posix attributes”;
allow (write)userdn = “ldap:///self”;)
You may have other attributes you need to protect as well.
To change an ACI with the Netscape Directory Console, select the
Directory tab, select your directory suffix in the left-hand panel, then
select the Object: Set Access Permissions menu item. In the dialog box,
select the “Allow self entry modification” ACI and click OK. Use the Set
Access Permissions dialog box to modify the ACI. See “Managing Access
Control” in the Netscape Directory Server Administrator’s Guide for
complete details.
Step 3. Restrict write access to certain group (posixGroup) attributes of the posix
schema.
Grant write access of the cn, memberuid, gidnumber, and userPassword
attributes only to directory administrators; disallow write access by all
other users.
With Netscape Directory Server for HP-UX, you can use the Netscape
Console or ldapmodify to set up access control lists (ACL) so ordinary
users cannot change these attributes in the posixGroup entry in the
directory. For example, the following ACI, placed in the directory at
ou=groups,ou=unix,o=hp.com, allows only the directory administrator
to modify entries below ou=groups,ou=unix,o=hp.com:
aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators,
o=hp.com");)
22
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure Your Directory
Step 4. Grant read access of all attributes of the posix schema.
Ensure all users have read access to the posix attributes.
When using PAM_LDAP as your authentication method, users do not
need read access to the userPassword attribute since the authentication
is handled by the directory itself. Therefore, for better security, you can
remove read access to userPassword from ordinary users.
Step 5. Configure anonymous access, if needed. If you do not configure a proxy
user, then the attributes of your name service data must be readable
anonymously.
Step 6. Create a proxy user in the directory, if needed.
To create a proxy user with Netscape Directory Server for HP-UX, use
the Netscape Console, Users and Groups tab, Create button. For
example, you might create a user uid=proxyuser,ou=Special
Users,o=hp.com.
Step 7. Set access permissions for the proxy user, if configured.
Give the proxy user created above read permission for the posix account
attributes.
With Netscape Directory Server, for example, the following ACI gives a
proxy user permission to compare, read, and search all posix account
attributes except the userPassword attribute:
aci: (target=”ldap:///o=hp.com”)(targetattr!=”userpassword”)
(version 3.0; acl “Proxy userpassword read rights”;
allow (compare,read,search)
userdn = “ldap:///uid=proxyuser,ou=Special Users,o=hp.com”;)
Step 8. The default ACI of Netscape Directory Server 6.11 allows a user to
change his own common attributes. But, for Netscape Directory Server
6.21 or later, you need to set ACI that gives a user permission to change
his own common attributes. By default, the Netscape Directory Server
6.21 or later provides the following ACI named Enable self write for
common attributes that gives a user permission to change his own
common attributes:
aci: (targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox
||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street
Chapter 2
23
Installing And Configuring LDAP-UX Client Services
Configure Your Directory
||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword
||userSMIMECertificate ||x500UniqueIdentifier")
(version 3.0; acl "Enable self write for common attributes"; allow (write)
(userdn = "ldap:///self"))
You can modify the default ACI and give appropriate access rights to
change your own common attributes.
Step 9. Index important attributes for better performance of Netscape Directory
Server.
Since many of your directory requests will be for the attributes listed
below, you should index these to improve performance. If you don’t index,
your directory may search sequentially causing a performance
bottleneck. As a rule of thumb, databases containing more than 100
entries should be indexed by their key attributes.
The following attributes are recommended for indexing:
•
•
•
•
•
•
•
•
cn
objectclass
memberuid
uidnumber
gidnumber
uid
ipserviceport
iphostnumber
To index these entries with Netscape Directory Server, use the Console,
Configuration tab, Indexes tab, Add Attributes button.
Step 10. Determine if you need to support enumeration requests. If you do,
increase the Look-Through limit, the Size limit, and the
All-IDs-Threshold in the Netscape Directory Server.
Enumeration requests are directory queries that request all of a
database, for example all users or all groups. Enumeration requests of
large databases could reduce network and server performance. With
large Netscape Directories and default configurations, enumerations
may fail or provide incomplete data, but the default configuration also
may prevent performance problems from enumerations.
If you need to support enumerations with large Netscape Directories,
increase the listed parameters as described in Preparing Your LDAP
Directory for LDAP-UX Integration available at
http://docs.hp.com/hpux/internet/#LDAP-UX%20Integration.
24
Chapter 2
Installing And Configuring LDAP-UX Client Services
Import Name Service Data into Your Directory
The Look-through limit specifies the maximum number of directory
entries to examine before aborting the search operation. The Size limit
determines the maximum number of entries to return to any query
before aborting. The All-IDs-Threshold specifies the number of entries
that can be maintained for an index key. In general, it is bad practice to
have an extremely large All-ID’s threashold, as it can dramatically
increase the size of your directory server’s database. However, if you
have a large number of posixAccounts, posixGroups or other form of RFC
2307 data that needs to be enumerated and you also have other large
sets of data in your directory server, increasing the All-UID’s threashold
to above the maximum number of posixAccounts, posixGroups, or others,
can dramatically increase enumeration performance.
For information on these parameters and how to change them, see the
Netscape Directory Server Administrator’s Guide. See also “Minimizing
Enumeration Requests” on page 125.
Step 11. If you want to enable SSL support with LDAP-UX, you need to turn on
SSL in your directory server. For detailed information on how to set up
and configure your Netscape Directory Server to enable SSL
communication over LDAP, see “Managing SSL Chapter” in the
Administrator’s Guide for Netscape Directory Server at
http://enterprise.netscape.com/docs/directory/61/pdf/ds61admin.pdf
Import Name Service Data into Your
Directory
The next step is to import your name service data into your LDAP
Directory. Here are some considerations when planning this:
•
Chapter 2
If you have already imported data into your directory with the
NIS/LDAP Gateway product, LDAP-UX Client Services can use that
data and you can skip to “Configure the LDAP-UX Client Services”
on page 27.
25
Installing And Configuring LDAP-UX Client Services
Import Name Service Data into Your Directory
•
If you are using NIS, the migration scripts take your NIS maps and
generate LDIF files. These scripts can then import the LDIF files
into your directory, creating new entries in the directory. This only
works if you are starting with an empty directory or creating an
entirely new subtree in your directory for your data.
If you are not using NIS, the migration scripts can take your user,
group, and other data from files, generate LDIF, and import the
LDIF into your directory.
•
If you integrate the name service data into your directory, the
migration scripts may be helpful depending on where you put the
data in your directory. You could use them just to generate LDIF, edit
the LDIF, then import the LDIF into your directory. For example, you
could manually add the posixAccount object class to your existing
entries under ou=People and add their HP-UX information there.
Steps to Importing Name Service Data into Your
Directory
Here are the steps for importing your user and group data into your
LDAP directory. Modify them as needed.
Step 1. Decide which migration method and scripts you will use.
Migration scripts are provided to ease the task of importing your existing
name service data into your LDAP directory.
See “Name Service Migration Scripts” on page 160 for a complete
description of the scripts, what they do, and how to use them. Modify the
migration scripts, if needed.
Step 2. Back up your directory.
Step 3. Run the migration scripts, using the worksheet in Appendix A,
“Configuration Worksheet,” on page 183.
Step 4. If the method you used above did not already do so, import the LDIF file
into your directory.
26
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
Configure the LDAP-UX Client Services
Below is a summary of how to configure LDAP-UX Client Services with
Netscape Directory Server 6.x. For a default configuration, see “Quick
Configuration” on page 29. For a custom configuration, see “Custom
Configuration” on page 34 for more information.
NOTE
The setup program has only been certified with Netscape Directory
Server 6.x, and Windows 2000/2003 Active Directory. See the LDAP-UX
Client Services B.04.00 Release Notes (P/N J4269-90042).
NOTE
The LDAP-UX Client Services B.04.00 supports storage of automount
maps and publickeys on Netscape Directory Server 6.11 or 6.21. See the
LDAP-UX Client Services B.04.00 Release Notes (P/N J4269-90045).
•
Run the Setup program. The setup program provides the following
assistance:
— Extends your Netscape directory schema with the configuration
profile schema, if not already done
— Imports the LDAP printer schema into your Netscape Directory
Server if you choose to start the LDAP printer configurator
— Imports the publickey schema into your Netscape Directory
Server if you choose to store the public keys of users and hosts in
an LDAP directory
— Imports the new automount schema into your Netscape
Directory Server if you choose to store the AutoFS maps in an
LDAP directory
— Provides the option to enable SSL for secure communication
between LDAP clients and Netscape Directory servers
— Optionally configures SASL Digest-MD5 authentication (for
Netscape Directory only)
— Creates a configuration profile entry in your Netscape directory
from information you provide
Chapter 2
27
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
— Updates the local client’s start-up file
(/etc/opt/ldapux/ldapux_client.conf) with your directory and
configuration profile location
— Downloads the configuration profile from the directory to your
local client system
— Configures a proxy user for the client, if needed
— Starts the Client Daemon if you choose to start it
IMPORTANT
Starting with LDAP-UX Client Services B.03.20, the client daemon,
/opt/ldapux/bin/ldapclientd, must be running for LDAP-UX
functions to work. With LDAP-UX Client Services B.03.10 or earlier,
running the client daemon, ldapclientd, is optional.
NOTE
The LDAP printer configurator can support any Directory Servers
that support the LDAP printer schema based on
IETF.
However, the LDAP-UX Client Services only supports automatically
importing the LDAP printer schema into the Netscape Directory
Server by running the setup program.
If your directory server does not support the LDAP printer schema,
you may experience problems when importing the printer schema.
28
•
Configure the Pluggable Authentication Module (PAM) by modifying
the file /etc/pam.conf. See /etc/pam.ldap for a sample.
•
Configure the Name Service Switch (NSS) by modifying the file
/etc/nsswitch.conf. See /etc/nsswitch.ldap for a sample.
•
Optionally modify the disable_uid_range flag in the
/etc/opt/ldapux/ldapux_client.conf file to disable logins to the local
system from specific users.
•
Optionally configure the authorization of one or more subgroups
from a large repository such as an LDAP directory server. For the
detailed information on how to set up the policy file,
/etc/opt/ldapux/pam_authz.policy, see “Policy File” on
page 111.
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
After you configure your directory and the first client system, configuring
additional client systems is simpler. Refer to “Configure Subsequent
Client Systems” on page 72 for more information.
Quick Configuration
You can quickly configure a Netscape directory and the first client by
letting most of the configuration parameters take default values as
follows. For a custom configuration, see “Custom Configuration” on
page 34.
The steps described below assume that you don’t use SSL support with
LDAP-UX. If you want to enable SSL support, see “Custom
Configuration” on page 34.
Step 1. Log in as root and run the Setup program:
cd /opt/ldapux/config
./setup
The Setup program asks you a series of questions and usually provides
default answers. Press the Enter key to accept the default, or change the
value and press Enter. At any point during setup, enter Control-b to back
up or Control-c to exit setup.
Step 2. Choose Netscape Directory as your LDAP directory server (option 1).
Step 3. Enter either the host name or IP address of the directory server where
your profile exists, or where you want to create a new profile from
Appendix A, “Configuration Worksheet,” on page 183.
Step 4. Enter the port number of the previously specified directory server that
you want to store the profile from Appendix A, “Configuration
Worksheet,” on page 183. The default port number is 389.
Step 5. If the profile schema has already been imported, setup skips this step.
Otherwise, enter “yes” to extend the profile schema if the schema has not
been imported with LDAP-UX Client Services object class
DUAConfigProfile. See Appendix B, “LDAP-UX Client Services Object
Classes,” on page 187 for a detailed description of this object class.
Step 6. If the LDAP printer schema has already been extended, setup skips this
steps. Otherwise, enter “yes” to extend the LP printer schema if you
choose to start the printer configurator. The LDAP printer configurator is
a feature that simplifies the LP printer management by refreshing LP
Chapter 2
29
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
printer configurations on your client system. A new printer schema,
which is based on IETF, is
required to start the services.
Step 7. If the publickey schema has already extended, setup skips this step.
Otherwise, enter “yes” to extend the publickey schema if you choose to
store the public keys of users and hosts in the LDAP directory. A
publickey schema, which is based on RFC 2307-bis is required to migrate
the publickeys in the NIS+ credential table entries on the NIS+ server to
the LDAP directory.
Step 8. If the new automount schema has already been imported, setup skips to
step 9.
Otherwise, you will be asked whether or not you want to install the new
automount schema which is based on RFC 2307-bis. Enter “yes” if you
want to import the new automount schema into the LDAP directory
server. Enter “no” if you do not want to import new automount schema
into the LDAP directory server. Setup skips to step 9 if you enter “no”.
Step 9. Next, if the setup program detects the obsolete automount schema exists
in the LDAP directory, it will prompt you for the information shown as
follows:
The obsolete automount schema exists in the directory.
If you still want to use the new automount schema, you must
perform the following steps:
1. Exit this program
2. Stop directory server
3. Remove the obsolete automount schema:
a. objectclass- automount
b. attribute-automountInformation
Note: for Netscape Directory Server, they are in
10rfc2307.ldif.
4. Start directory and re-run setup program to install the new
automount schema.
Do you still want to use the new automount schema? Press Yes
will exit this program. {YES]:
Reply “yes ” when asked do you still want to use the new automount
schema. If you reply yes, it will take you to exit this program. You must
re-run the setup program again to install the new automount schema
after you exit this program and manually delete the obsolete automount
30
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
schema. For detailed information on how to remove the obsolete
automount schema, see “Removing The Obsolete Automount Schema” on
page 59.
If you reply no, setup skips to step 9 and the new automount schema
will not be imported.
Otherwise, you will be asked to enter the DN (Distinguished Name) and
password of the directory user who can import the schema into the LDAP
directory.
Step 10. If you are creating a new profile, add all parent entries of the profile DN
to the directory (if any). If you attempt to create a new profile and any
parent entries of the profile do not already exist in the directory, setup
will fail. For example, if your profile will be
cn=profile1,ou=profiles,o=hp,com, then ou=profiles,o=hp.com
must exist in the directory or setup will fail.
Step 11. Next enter either the DN of a new profile, or the DN of an existing profile
you want to use, from Appendix A, “Configuration Worksheet,” on
page 183.
To display all the profiles in the directory, use a command like the
following:
ldapsearch -b o=hp.com objectclass=DUAConfigProfile dn
If you are using an existing profile, setup configures your client,
downloads the profile, and exits. In this case, continue with step 12
below.
Step 12. If you are creating a new profile, enter the DN and password of the
directory user who can create a new profile from Appendix A,
“Configuration Worksheet,” on page 183.
Step 13. Next, it will prompt you for the following information:
Select authentication method for users to bind/authenticate to
the server
1. SIMPLE
2. SASL DIGEST-MD5
To accept the default shown in brackets, press the Return key.
Authentication method: [1]:
Chapter 2
31
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
Press the return key if you choose to accept SIMPLE authentication
method, type 2 if you choose SASL DIGEST-MD5 authentication method
for the following prompt:
Authentication method: [1]:
Step 14. Next enter the host name and port number of the directory where your
name service data is, from Appendix A, “Configuration Worksheet,” on
page 183. For high availability, each LDAP-UX client can look for name
service data in up to three different directory hosts. You can enter up to
three hosts, to be searched in order.
Step 15. Enter the base DN where clients should search for name service data
from Appendix A, “Configuration Worksheet,” on page 183.
Step 16. You can quickly configure a Netscape directory and the first client by
accepting the remaining default configuration parameters when
prompted.
Table 2-1 shows the configuration parameters and the default values
they will be configured with.
Table 2-1
Configuration Parameter Default Values
Parameter
32
Default
Value
Type of client binding
Anonymous
Bind time limit
5 seconds
Search time limit
no limit
Use of referrals
Yes
Profile TTL (Time To Live)
0 - infinite
Use standard RFC-2307 object class attributes for
supported services
Yes
Use default search descriptions for supported services
Yes
Authentication method
Simple
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
To change any of these default values, refer to “Custom Configuration”
on page 34.
Step 17. After entering all the configuration information, setup extends the
schema, creates a new profile, and configures the client to use the
directory.
Step 18. Configure the Pluggable Authentication Module (PAM).
Save a copy of the file /etc/pam.conf and edit the original to specify LDAP
authentication and other authentication methods you want to use. See
/etc/pam.ldap for a sample. You may be able to just copy /etc/pam.ldap to
/etc/pam.conf. See pam(3), pam.conf(4), and Managing Systems and
Workgroups at http://docs.hp.com/hpux for more information on PAM.
Step 19. Configure the Name Service Switch (NSS).
Save a copy of the file /etc/nsswitch.conf and edit the original to specify
the ldap name service and other name services you want to use. See
/etc/nsswitch.ldap for a sample. You may be able to just copy
/etc/nsswitch.ldap to /etc/nsswitch.conf. See nsswitch.conf(4) for more
information.
Step 20. Optionally, configure the Pam Authorization Service module
(pam_authz).
LDAP-UX Client Services provides a sample configuration file,
/etc/opt/ldapux/pam_authz.conf.template. This sample file shows
you how to configure the policy file to work with pam_authz. You can
copy this sample file and edit it using the correct syntax to specify the
access rules you wish to authorize or exclude from authorization. For
more detailed information on how to configure the policy file. see
“PAM_AUTHZ Login Authorization Enhancement” on page 109.
The sample /etc/pam.conf file in the man page will show you how to
configure the /etc/pam.conf file to work with pam_authz.For more
detailed information about pam_authz, refer to the pam_authz(5) man
page.
Step 21. Optionally configure the disable_uid_range flag.
Save a copy of the file /etc/opt/ldapux/ldapux_client.conf and edit the
original to activate the disable_uid_range flag. Uncomment the flag in
the [NSS] portion of the file and fill in the UID range. The format is
disable_uid_range=uid#,[uid#-uid#], .... where uid# stands for uid
number.
Chapter 2
33
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
For example: disable_uid_range=0-100,300-450,89
Note:
•
•
•
White spaces between numbers are ignored.
Only one line of the list is accepted, however, the line can be
wrapped.
The maximum number of ranges is 20.
Step 22. “Verify the LDAP-UX Client Services” on page 68.
Step 23. Configure subsequent clients by running setup on those clients and
specifying an existing configuration profile. Or for a simpler process see
“Configure Subsequent Client Systems” on page 72.
Custom Configuration
Running the Setup program for a quick configuration, as described
above, configures your client using default values where possible. If you
would like to customize these parameters, proceed as follows.
If you want to use SSL, you must have the certificate database files,
cert7.db or cert8.db and key3.db, on your client system before you run the
custom configuration. See “Configure the LDAP-UX Client Serivces with
SSL Support” on page 41 for details.
Step 1. Perform the steps described in “Quick Configuration” on page 29.
However, after step 11, You will be asked whether you want to use SSL
or not. Enter “yes” to use SSL for the secure communication between
LDAP clients and the Netscape Directory Server. Enter “no” if you don’t
want to use SSL.
Step 2. Next, it will prompt you for selecting the authentication method for users
to bind/authenticate to the server.
You have a choice between SIMPLE (the default), or SASL DIGEST-MD5
if you choose to not enable SSL. However, you have a choice between
SIMPLE with SSL (the default), or SASL DIGEST-MD5 with SSL if you
choose to enable SSL.
If you select SASL DIGEST-MD5, two additional prompts will appear.
The first will prompt you for a user mapping (UID, DN, or Other). The
second will prompt you for a single realm to use when retrieving user
authentication information. If no realm is specified, user information will
be retrieved from the first realm the directory server offers.
34
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
Step 3. Specify the host name and optional port number where your directory is
running. If you choose to not use SSL, the default directory port number
is 389. If you choose to use SSL, the default directory port number is 636.
For high availability, each LDAP-UX client can look for user and group
information in up to three different directory servers. You are able to
specify up to three directory hosts, to be searched in order.
Step 4. Reply “no” when asked if you want to accept the remaining default
configuration parameters.
Step 5. Select the client binding you want from Appendix A, “Configuration
Worksheet,” on page 183. This determines the identity that client
systems use when binding to the directory to search for user and group
information.
Step 6. If you configured a proxy user, enter the DN and password of your proxy
user, from Appendix A, “Configuration Worksheet,” on page 183.
Step 7. Enter the maximum time in seconds the client should wait for directory
searches before aborting. Enter 0 for no time limit.
Step 8. Enter whether or not you want directory searches to follow referrals.
Referrals are a redirection mechanism supported by the LDAP protocol.
Please see your directory manuals for more information on referrals.
NOTE
If you want your directory searches to follow referrals, you must allow
anonymous access into your directories.
Step 9. Enter the Profile TTL (Time To Live) value. This value defines the time
interval between automatic downloads (refreshes) of new configuration
profiles from the directory. Automatic refreshing ensures that the client
is always configured using the newest configuration profile.
If you want to disable automatic refresh or manually control when the
refresh occurs, enter a value of 0. See “Download the Profile Periodically”
on page 74.
Step 10. Next, the setup program will prompt you for the following information:
LDAP-UX Client Services supports the following services:
Chapter 2
35
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
1.Password
6.Protocols
2.Shadow passwd
7.Networks
3.Group
8.Hosts
4.PAM (Pluggable Authentication Module) 9.Services
5.RPC
10.Netgroup
11.Automount
Each services uses a standard object class (defined by RFC
2307)
You can remap any of these attributes to alternate attributes
Do you want to remap any of the standard RFC 2307 attributes?
Enter whether or not you want to remap the standard object class
attributes to alternate attributes. You need to do this if your user and
group data do not conform to the object classes defined in RFC 2307,
posixAccount, posixGroup, shadowAccount, and so forth.
You can remap the attributes for any of the supported services: passwd,
shadow passwd, group, PAM, netgroup, rpc, protocols, networks, hosts,
automount and services. Select the service you want to remap. Then
select the attribute you want to remap and enter the new attribute
name. For example, you might map the standard UNIX user id number
attribute uidnumber to an employeeID attribute.
By default, LDAP-UX Client Services uses the RFC2307-bis automount
schema. The nisObject automount schema can also be used if
configured via attribute mappings.
Use the following steps if you want to remap the automount attributes to
the nisObject automount attributes:
1. Enter yes for the following question:
Do you want to remap any of the standard RFC 2307
attributes? [yes]: yes
2. If you want to select the automount service, then enter 11 for the
following question and press the return key:
Specify the service you want to map? [0]:11
3. Next, it will take you to the screen which shows you the following
information:
Current Automount attribute names:
36
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
1.automountMapName ->[automountMapname]
2.automountKey -> [automountKey]
3.automountInformation -> [automountInformation]
Specify the attribute you want to map. [0]:
You type 1 for the following question and press the return key:
Specify the attribute you want to map. [0]:1
4. Next, type the attribute nisMapName that you want to map to the
automountMapName attribute for the following question and press
the return key:
automountMapName -> nisMapName
5. Next, it will take you to the screen which shows you the following
information:
Current Automount attribute names:
1.automountMapName ->[nisMapname]
2.automountKey -> [automountKey]
3.automountInformation -> [automountInformation]
Specify the attribute you want to map. [0]:
If you want to specify the attribute to map to the automountKey
attribute , then type 2 for the following question and press the return
key:
Specify the attribute you want to map. [0]:2
6. Next, type the attribute cn you want to map to the automountKey
attribute and press the return key:
automountKey -> cn
7. Next, it will take you to the screen which shows you the following
information:
Current Automount attribute names:
1.automountMapName ->[nisMapname]
2.automountKey -> [cn]
3.automountInformation -> [automountInformation]
Specify the attribute you want to map. [0]:
Chapter 2
37
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
If you want to specify the attribute to map to the
automountInformation attribute , then type 3 for the following
question and press the return key:
Specify the attribute you want to map. [0]:3
8. Next, type the attribute nisMapEntry you want to map to the
automountInformation attribute and press the return key:
automountInformation -> nisMapEntry
9. Next, it will take you to the screen which shows you the following
information:
Current Automount attribute names:
1.automountMapName ->[nisMapname]
2.automountKey -> [cn]
3.automountInformation -> [nisMapEntry]
Specify the attribute you want to map. [0]:
You type 0 to exit this menu for the following question:
Specify the attribute you want to map. [0]:0
If you will be configuring X.500 group membership support, you should
remap the group member attribute (to member or uniquemember) instead
of using the default.
NOTE
Make sure that the attribute name is typed in correctly to avoid
unpredictable results later on.
See RFC 2307 at http://www.ietf.org/rfc/rfc2307.txt for a description of
the standard object classes and attributes.
Optionally, you may set up X.500 by executing the following steps:
1. #cd /opt/ldapux/config/
2. Execute the setup program:
#./setup
For the question:
Accept remaining defaults? (y/n) [y]: N
Answer “N” instead of the default “Y”
38
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
3. For the question:
Do you want to remap any of the standard RFC 2307
attributes? [No]: Y
Answer “Y” instead of the default “N”
4. For the question:
Specify the service you want to map? [0]: 3
Answer “3”
5. For the question:
Specify the attribute you want to map? [0]: 3
Answer “3”
6. Type the attributes you want to map to the member attribute:
[memberuid]: member
NOTE
LDAP-UX supports DN-based (X.500 style) membership syntax. This
means that you do not need to use the memberUid attribute to define
the members of a POSIX group. Instead, you can use either the
member or uniqueMember attribute. LDAP-UX can convert from the
DN syntax to the POSIX syntax (an account name).
For Netscape Directory Server, the typical member attribute would
be either memberUid, member or uniqueMember.
7. Follow the prompts to finish the setup.
Step 11. Next, the setup program will prompt you the following information:
LDAP-UX Client Services supports the following services:
1.Password
7.Networks
2.Shadow passwd
8.Hosts
3.Group
9.Services
4.PAM (Pluggable Authentication Module) 10.Netgroup
5.RPC
11.PrinterConfigurator
6.Protocols
12.Automount
You can create up to three custom search descriptors for each
name service to search different locations in the directory for
user and group information.
Do you want to create custom search descriptors? [No]:
Chapter 2
39
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Services
Enter whether or not you want to create custom search descriptors for
any of the supported services: passwd, shadow passwd, group, PAM,
netgroup, rpc, protocols, network, hosts and services. Select the service
you want to create a custom search descriptor for.
A custom search descriptor consists of three parts: a search base DN,
scope, and filter. Use custom search descriptors if you want clients to
search different locations in the directory or to apply different search
filters, for example some clients might search for employees only in a
particular department. Each service can have up to three different
search descriptors. The client uses the search descriptors in order until it
finds what it is looking for.
NOTE
If your search filters overlap, enumeration requests will result in
duplicate entries being returned. For example, if one search filter
searched a subset of your organization and a second search filter
searched your entire organization, an enumeration request would return
duplicate entries.
See “Minimizing Enumeration Requests” on page 125 for more
information.
LDAP-UX Client Services uses the automount search filter for the
automount service as default. If you want to create the nisObject
search filter for the automount service to search a different location in
the directory, use the following steps:
1. Type yes for the following question and press the return key:
Do you want to create custom search descriptors? [No]: yes
2. Next, it will take you to the screen which shows you the following
information:
To accept the default shown in brackets, press the Return
key.
search base [dc=cup,dc=hp,dc=com]:
search scope (base, one, sub) [sub]
Search filter [(objectclass=automount)]
40
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Serivces with SSL Support
If you want to create the nisObject search filter for the automount
service, then type (objectclass=nisObject) for the following
prompt and press the Return key; otherwise press the return key to
accept the default search filter, objectclass=automount:
Search filter [(objectclass=automount)]:
(objectclass=nisObject)
Step 12. You will be asked whether or not you want to start the client daemon. For
LDAP-UX Client B.03.20 or later versions, the client daemon must be
started for LDAP-UX functions to work. With LDAP-UX Client B.30.10
or earlier, the client daemon is optional, and should be turned on in order
to provide better prformance (response time) and for the X.500 group
membership to work.
Configure the LDAP-UX Client Serivces with
SSL Support
The LDAP-UX Client Services provides SSL (Secure Socket Layer)
support to secure communication between the LDAP client and the
Directory Server. The LDAP-UX Client Services supports SSL with
password as the credential, using either simple bind or DIGEST-MD5
authentication (DIGEST-MD5 for Netscape Directory Server only) to
ensure confidentiality and data integrity between clients and servers.
With SSL support, the LDAP-UX Clients provides a secure way to
protect the password over the network, This allows the directory
administrator has the choice in selecting authentication mechanism,
such as using simple password stored in the directory server as a hash
syntax.
The LDAP-UX Client Services supports Microsoft Windows 2000/2003
Active Directory Server (ADS) and Netscape Directory Server (NDS)
over SSL. For detailed information on how to set up and configure your
Netscape Directory Server to enable SSL communication over LDAP, see
“Managing SSL Chapter” in the Administrator’s Guide for Netscape
Directory Server at http://www.redhat.com/docs/manuals/dir-server/
Chapter 2
41
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Serivces with SSL Support
Configuring the LDAP-UX Client to Use SSL
You can choose to enable SSL with LDAP-UX when you run the setup
program. If you attempt to use SSL, you must install Certificate
Authority (CA) certificate on your LDAP-UX Client and configure your
LDAP directory server to support SSL before you run the setup program.
NOTE
If you already have the certificate database files, cet7 or cert8.db and
key3.db, on your client for your HP-UX applications, you can simply
create a symbolic link /etc/opt/ldapux/cert7.db that points to cert7.db
or /etc/opt/ldapux/cert8.db that points to cer8.db and
/etc/opt/ldapux/key3.db that points to key3.db.
You can Download the certificate database from the Netscape
Communicator or Mozilla browser to set up the certificate database into
your LDAP-UX Client.
Steps to Download the CA Certificate from Mozilla Browser
The following steps show you an example on how to download the
Certificate Authority (CA) certificate on your client system using Mozilla
browser 1.4 for HP-UX:
Step 1. Log in to your system as root.
Step 2. Use Mozilla browser to connect to your Certificate Authority Server.
The following shows an example of using a link to connect to your
Certificate Authority Server:
https://CA servername:port number/ca/
Step 3. Click the retrieval tab in the Netscape certificate management window
screen.
Step 4. Click the “import CA certificate chain” link to take you to the “import CA
certificate chain” window screen.
Step 5. Check the “import the CA certificate chain into your browser” check box
in the “import CA certificate chain” window screen. Then, click the
submit button.
42
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Serivces with SSL Support
Step 6. Check the “Trust the CA to identify web sites”, “Trust the CA to identify
e-mail users”, and “Trust the CA to identify software developers”
checkboxes in the Downloading Certificate window screen. Then click OK
button.
Step 7. The Netscape Directory CA certificate will be downloaded to the
following two files on your LDAP-UX Client:
/.mozilla/default/*.slt/cert8.db
/.morilla/default/*.slt/key3.db
Step 8. You can simply copy the /.mozilla/default/*slt/cert8.db file to
/etc/opt/ldapux/cert8.db and /.mozilla/default/*slt/key3.db file to
/etc/opt/ldapux/key3.db.
Step 9. Set the file access permissions for/etc/opt/ldapux/cert7..db and
/etc/opt/ldapux/key3.db to be read only by root as follows:
-r-------- 1 root sys 65536 Jun 14 16:27 \
/etc/opt/ldapux/cert8.db
-r-------- 1 root sys 32768 Jun 14 16:27 \
/etc/opt/ldapux/key3.db
NOTE
You may use the unsupported /opt/ldapux/contrib/bin/certutil
command line tool to create the certificate database files, cert8.db and
key3.db. For detailed command options and their arguments, see Using
the Certificate Database Tool available at
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
NOTE
If your browser does not generate cert7.db or cert8.db and key3.db
security database files, you must export the certificate (preferably the
root certificate of the Certificate Authority that signed the LDAP server’s
certificate) from your certificate server as a Base64-Encoded certificate
and use the certutil utility to create the cert8.db and key3.db
security database files.
Chapter 2
43
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Serivces with SSL Support
Steps to create database files using the certutil utility
The following steps show you an example on how to create the security
database files, cert8.db and key3.db on your client system using the
certutil utility:
Step 1. Retrieve the Base64-Encoded certificate from the certificate server and
save it.
For example, get the Base64-Encoded certificate from the certificate
server and save it as the /tmp/mynew.cert file. This file should look
like:
--------------- BEGIN CERTIFICATE ------------------------------------MIICJjCCAY+gAwIBAgIBJDANBgkghkiG9w0BAQQFADBxMQswCQYDVQQGEwJVUzEL
MAkga1UECBMCQ2ExEjAQBgNVBAcTCWN1cGVvsG1ubzEPMA0GA1UEChmgAhaUy29T
MRIwEAYDVQQLEw1RR1NMLUxkYXAxHDAaBgNVBAMTE0N1cnRpzmljYXR1IE1hbmFn
4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF
skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig=
--------------- END CERTIFICATE --------------------------------------
Step 2. Use the rm command to remove the old database files,
/etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db:
rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db
Step 3. Use the certutil utility with the -N option to initialize the new
database:
/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
Step 4. Add the Certificate Authority (CA) certificate or the LDAP server’s
certificate to the security database:
•
To use the certutil command to add a CA certificate to the
database:
For example, the following command adds the CA certificate,
my-ca-cert, to the security database directory, /etc/opt/ldapux,
with the Base64-Encoded certificate request file, /tmp/mynew.cert:
/opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t \
"C,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert
44
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure the LDAP-UX Client Serivces with SSL Support
NOTE
The -t "C,," represents the minimum trust attributes that may be
assigned to the CA certificate for LDAP-UX to successfully use SSL
to connect to the LDAP directory server. If you have other
applications that use the CA certificate for other functions, then you
may wish to assign additional trust flags. See
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.ht
ml for additional information.
•
To use the certutil command to add the LDAP server’s certificate
to the security database:
For example, the following command adds the LDAP server’s
certificate, my-server-cert, to the security database directory,
/etc/opt/ldapux, with the Base64-Encoded certificate request file,
/tmp/mynew.cert:
/opt/ldapux/contrib/bin/certutil -A -n my-server-cert -t \
"P,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert
NOTE
Chapter 2
The -t "p,," represents the minimum trust attributes that may be
assigned to the LDAP server’s certificat for LDAP-UX to successfully
use SSL to connect to the LDAP directory server. See
http://www.mozilla.org/projects/security/pki/nss/tools/certutil.ht
ml for additional information.
45
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
Configure LDAP-UX Client Services with
Publickey Support
LDAP-UX Client Services B.04.00 or later version supports discovery
and management of publickeys in an LDAP directory. Both public and
secret keys, used by the Secure RPC API can be stored in user and host
entries in an LDAP directory server, using the nisKeyObject
objectclass. Support for discovery of keys in an LDAP directory server is
provided through the getpublickey() and getsecretkey() APIs. You
can use chkey and newkey commands to manage user and host keys in
an LDAP server. The chkey -s ldap command is used to change user’s
secure RPC public key and secret key in an LDAP directory. The newkey
-u -s ldap command is used to add new keys for users to
an LDAP directory while the newkey -h -s ldap command
is used to create new keys for machines to an LDAP directory.
For detailed information on the newkey and chkey commands, refer to
newkey(1M), chkey(1), getpublickey(3N), getsecretkey() and
publickey(4) man pages.
HP-UX Enhanced Publickey-LDAP Software
Requirement on HP-UX 11i v1 or v2
Support for publickey through LDAP requires functionality
enhancement in LDAP-UX Client Services and an enhancement in the
ONC product. ONC with publickey LDAP support is available through
the HP-UX Enhanced Publickey-LDAP Software Pack (SPK) web
release.
To enable the publickey LDAP support, you must install the Enhanced
Publickey-LDAP software bundle shown on Table 2-2 and LDAP-UX
Client Services B.04.00 or later on your client systems. The software
bundle contains all the required patches plus the enablement product for
this new feature. On HP-UX 11i v3, the software bundle is not required.
For detailed information, refer to the ONC with Publickey LDAP Support
Software Pack Release Notes at the following web site:
http://docs.hp.com/en/netcom.html
46
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
Navigate to NFS Services.
Table 2-2
Enhanced Publickey-LDAP Software for HP-UX 11i v1 or v2
Operating System
Supported
Software Bundle
Version
Planned Release
Date
HP-UX 11i v1
Enhkey B.11.11.01
June, 2006
HP-UX 11i v2
Enhkey B.11.23.01
October, 2006
You can download the Enhanced Publickey-LDAP software bundle from
the following Software Depot web site:
•
Go to http://www.hp.com/go/softwaredepot
•
Click on the Enhancement releases and patch bundles link.
•
Select one of the following links:
— HP-UX Software Pack (Optional HP-UX 11i v1 Core
Enhancements) for HP-UX 11i v1
and then select
HP-UX Public Key LDAP link for HP-UX 11i v1
Select and download the following software bundle, place it to
your client system, /tmp is assumed:
Enhkey B.11.11.01 HP-UX B.11.11 64+32 depot for HP-UX
11i v1
— HP-UX Software Pack (Optional HP-UX 11i v2 Core
Enhancements) for HP-UX 11i v2
and then select
PublicKey-LDAP link for HP-UX 11i v2
Select and download the following software bundle, place it to
your client system, /tmp is assumed:
Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX
11i v2
•
Chapter 2
Use swinstall to install the software bundle:
47
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
— swinstall -x autoreboot=true -s
/tmp/ENHKEY_B.11.11.01_HP-UX_B.11.11_64_32.depot for
HP-UX 11i v1
— swinstall -x autoreboot=true -x reinstall=false -s
/tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.depot for
HP-UX 11i v2
Extending the Publickey Schema into Your Directory
The publickey schema is not loaded in the Netscape Directory Server. If
you are installing LDAP-UX B.04.00 or later version on your client
system, the setup program will extend the publickey schema into your
Netscape Directory Server. If you previously configured LDAP-UX
B.03.30 or earlier version, and now update the product to version B.04.00
or later, you must re-run the setup program to extend the publickey
schema into your LDAP directory. You do not need to re-run the setup
program for the subsequent client systems. For detailed information on
how to run the setup program to extend the publickey schema into an
LDAP directory, see “Quick Configuration” on page 29.
Admin Proxy User
A special type of proxy user, known as an Admin Proxy has been added to
LDAP-UX to support management of publickey information in an LDAP
directory server. The Admin Proxy represents the HP-UX
administrator’s rights in the directory server and typically is used to
represent root’s privileges extended to the directory server. Only an
Admin Proxy user is allowed to use the newkey tool to add host and user
keys into the LDAP directory server, or to use the chkey tool to modify
host keys in the LDAP directory server.
Configuring an Admin Proxy User Using ldap_proxy_config
You need to use a new ldap_proxy_config tool option -A to configure
an Admin Proxy user. You must specify the -A option along with other
options to perform operations applying to an Admin Proxy user. For
example, you can use the ldap_proxy_config -A -i command to
create an Admin Proxy user. See “The ldap_proxy_config Tool” on
page 146 for details.
48
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
Password for an Admin Proxy User
In order to protect user’s secret keys in the LDAP directory, the secret
keys are encrypted using the user’s password. This process is used in
NIS as well as NIS+ environments. The host’s secret key must also be
encrypted. Since the host itself does not have its own password, root’s
password is used to encrypt the host’s secret key. The chkey or newkey
command prompts for root’s password when changing or adding a key for
a host. For this reason, you may wish to configure the Admin Proxy user
in the LDAP directory to have the same password as the root user on the
master host. Although it is not required that the Admin Proxy user and
root user share the same password, it allows you to avoid storing the
Admin Proxy user’s password in the /etc/opt/ldapux/acred file. In
such case, when you run the ldap_proxy_config -A -i command to
configure the Admin Proxy user, you enter only Admin Proxy user’s DN
without the password. LDAP-UX will use the root’s password given to
the chkey and newkey commands as the Admin Proxy user’s password to
perform public key operations. However, the ldap_proxy_config -A -v
command will not be able to validate the Admin Proxy user because no
password is available to ldap_proxy_config. As a result, the message
"No password is provided. Validation is not performed” will be
displayed.
Setting ACI for Key Management
Before storing public keys in an LDAP server, LDAP administrators may
wish to update their LDAP access controls such that users can manage
their own keys, and the Admin Proxy user can manage host keys. This
section describes how you set up access control instructions (ACI) for an
Admin Proxy user or a user.
Setting ACI for an Admin Proxy User
With Netscape Directory Server 6.11 and 6.21, you can use the Netscape
Console or ldapmodify to set up ACI, which gives an Admin Proxy user
permissions to manage host and user keys in the LDAP directory.
An Example
The following ACI gives the permissions for the Admin Proxy user
uid=keyadmin to read, write, and compare nissecretkey and
nispublickey attributes for hosts and users:
dn:dc=org,dc=hp,dc=com
Chapter 2
49
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
aci:(targetattr =”objectlass||nispublickey||nissecretkey”)
(version 3.0;acl “Allow keyadmin to change key pairs”;
allow (read,write,compare)
userdn=“ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com”;)
Setting ACI for a User
The default ACI of Netscape Directory Server 6.11 allows a user to
change his own nispublickey and nissecretkey attributes. For
Netscape Directory Server 6.21, you need to set up ACI which gives a
user permission to change his own nissecretkey and nispublickey
attributes. Use the Netscape Console or ldapmodify to set up ACI for a
user.
An Example
The following ACI gives a user permission to change his own
nissecretkey and nispublickey attributes for user keys:
dn:ou=People,dc=org,dc=hp,dc=com
aci:(targetattr =”nissecretkey||nispublickey”)(version 3.0;
acl “Allow key self modification”;allow (write)
(userdn = “ldap:///self”);)
Configuring serviceAuthenticationMethod
serviceAuthenticationMethod is a newly supported attribute of the
configuration profile, /opt/ldapux/ldapux_profile.ldif. It’s function
is the same as authenticationMethod, but it allows authentication
configuration for specific name services. The
serviceAuthenticationMethod attribute is created to resolve issues
that may arise when the default authentication method is not considered
secure enough for specific name services. For example, if the default
authenticationMethod is configured as NONE then the newkey and
chkey commands would not know how to properly bind to the directory
server when changing or adding key pairs. LDAP-UX only supports the
serviceAuthenticationMethod attribute for the keyserv service, since
the keyserv service is the only one that currently needs modification of
privileges in the directory server.
To perform newkey and chkey operations, LDAP-UX binds the Admin
Proxy user to the LDAP directory using the authentication method
specified in serviceAuthenticationMethod. LDAP-UX only supports
serviceAuthenticationMethod for keyserv. Any other services
configured in serviceAuthenticationMethod will be ignored.
50
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
Configuring serviceAuthenticationMethod is optional. If you do not
configure serviceAuthenticationMethod, LDAP-UX binds the Admin
Proxy user to the LDAP directory using the authentication method
specified for the proxy user.
Authentication Methods
LDAP-UX Client Services supports the following authentication methods
for the keyserv service:
NOTE
•
simple with SSL enabled
•
SASL DIGEST-MD5 with SSL enabled
•
simple with SSL disabled
•
SASL DIGEST-MD5 with SSL disabled
SSL settings for both authenticationMethod and
serviceAuthenticationMethod must be set the same. It is not
supported to have SSL enabled for authenticationMethod and SSL
disabled for serviceAuthenticationMethod, or vice versa.
Procedures Used to Configure serviceAuthenticationMethod
Use the following steps on one of LDAP-UX client sytems to configure the
serviceAuthenticationMethod attribute in the
/etc/opt/ldapux/ldapux_profile.ldif file:
Step 1. Login as root.
Step 2. Use the ldapentry tool to modify the profile entry in the LDAP directory
server to include serviceAuthenticationMethod. To do this,
ldapentry requires the profile DN. You can find the profile DN from
PROFILE_ENTRY_DN in /etc/opt/ldapux/ldapux_client.conf after
you finish running the setup program. The following example edits the
profile entry "cn=ldapuxprofile,dc=org,dc=hp,dc=com":
For example:
cd /opt/ldapux/bin
./ldapentry -m "cn=ldapuxprofile,dc=org,dc=hp,dc=com"
Chapter 2
51
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
After you enter the prompts for "Directory login:" and "password:",
ldapentry will bring up an editor window with the profile entry. You can
add the serviceAuthenticationMethod attribute.
The value of the serviceAuthenticatioMethod entry depends on the
authentication method you configure. The following shows the possible
values of the serviceAuthenticationMethod attribute:
•
For SASL DIGEST-MD5 using the Distinguish Name (DN) to
generate the DIGEST-MD5 hash, the data in the entry is:
serviceAuthenticationMethod:keyserv:sasl/digest-md5:\
username=dn
•
For SASL DIGEST-MD5 using the UID attribute to generate the
DIGEST-MD5 hash, the data in the entry is:
serviceAuthenticationMethod:keyserv:sasl/digest-md5
•
For SASL DIGEST-MD5 with SSL enabled using the DN to generate
the DIGEST-MD5 hash, the data in the entry is:
serviceAuthenticationMethod:keyserv:tls:sasl/digest-md5:
username=dn
•
For SASL DIGEST-MD with SSL enabled using the UID attribute to
generate the DIGEST-MD5 hash, the data in the entry is:
serviceAuthenticationMethod:keyserv:tls:sasl/digest-md5
•
For simple authentication, the data in the entry is:
serviceAuthenticationMethod:keyserv:simple
•
For simple with SSL enabled, the data in the entry is:
serviceAuthenticationMethod:keyserv:tls:simple
For more information on ldapentry, refer to Chapter 5, “Command and
Tool Reference,” on page 137.
Step 3. Go to /opt/ldapux/config:
cd /opt/ldapux/config
Step 4. Use /opt/ldapux/config/get_profile_entry to download the
modified LDIF profile:
52
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
./get_profile_entry -s nss
Step 5. Run the /opt/ldapux/config/display_profile_cache tool to check
the configuration of the serviceAuthenticationMethod attribute:
./display_profile_cache
For example:
If the serviceAuthenticationMethod:keyserv:sasl/digest-md5
entry is added to the profile entry in the LDAP directory, you can see the
following information when you run the display_profile_cache tool:
serv-auth: keyserv:sasl/digest-md5
auth opts: username: uid
realm:
For subsequent LDAP-UX client systems that share the same profile
configuration, use the following steps to download and activate the
profile:
Step 1. Login as root.
Step 2. Go to /opt/ldapux/config:
cd /opt/ldapux/config
Step 3. Use /opt/ldapux/config/get_profile_entry to download the
modified LDIF profile:
./get_profile_entry -s nss
Step 4. Run the /opt/ldapux/config/display_profile_cache tool to check
the configuration of the serviceAuthenticationMethod attribute:
./display_profile_cache
Configuring Name Service Switch
Configure the Name Service Switch (NSS) to enable the LDAP support
for publickey.
You can save a copy of /etc/nsswitch.conf file and modify the original
to add ldap support to the publickey service. See /etc/nsswitch.ldap
for a sample.
The following shows the sample file, /etc/nsswitch.ldap:
Chapter 2
53
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
passwd:
group:
hosts:
networks:
protocols:
rpc:
publickey:
netgroup:
automount:
aliases:
services:
54
files ldap
files ldap
dns files ldap
files ldap
files ldap
files ldap
ldap [NOTFOUND=return] files
files ldap
files ldap
files
files ldap
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
AutoFS Support
AutoFS is a client-side service that automatically mounts appropriate
file systems when users request access to them. If an automounted file
system has been idle for a period of time, AutoFS unmounts it. AutoFS
uses name services such as files, NIS or NIS+ to store and manage
AutoFS maps.
LDAP-UX Client Services B.04.00 supports the automount service under
the AutoFS subsystem. This new feature allows users to store AutoFS
maps in an LDAP directory server. .
AutoFS Patch Requirement
In order to enable the LDAP support for AutoFS, you must install the
AutoFS patch or Enhanced AutoFS version on your client system shown
in Table 2-3:
Table 2-3
Patch Requirement
Operating System
Supported
Patch ID/Version
Planned Release
Date
HP-UX 11i v1
Enhanced AutoFS
version B.11.11.0509.1
September, 2005
HP-UX 11i v2
PHNE_33100
August, 2005
Automount Schemas
This section describes the following three automount schemas:
•
new automount schema
An automount schema is based on RFC 2307-bis. This schema
defines new automountMap and automount structures to represent
the AutoFS maps and their entries in the LDAP directory.
•
Chapter 2
nisObject automount schema
55
Installing And Configuring LDAP-UX Client Services
AutoFS Support
The nisObject automount schema defines nisMap and nisObject
structures to represent the AutoFS maps and their entries in the
LDAP directory. There are some limitations that you need to be
aware of when using the nisObject automount schema.
•
obsolete automount schema
This is the schema that is shipped with Netscape Directory Server
version 6.x.
The LDAP-UX Client Services supports the new automount schema. The
nisObject automount schema can also be used if configured via
attribute mappings. LDAP-UX does not support the obsolete automount
schema. You must manually delete it before the setup program can
successfully import the new automount schema into the LDAP directory
server.
Read subsequent sections of this chapter for the detailed information
about the automount schemas.
New Automount Schema
This schema is a new schema defined in RFC2307-bis. This schema
defines new automountMap and automount structures to represent
AutoFS maps and their entries in the LDAP directory. AutoFS maps are
stored in the LDAP directory server using structures defined by this
schema.
The RFC2307-bis automount schema is not loaded in the Netscape
Directory Server. If you are installing LDAP-UX B.04.00 on your client
system, the setup program will import the new automount schema into
your Netscape Directory Server. If you previously configured LDAP-UX
B.03.30 or an earlier version, and are now updating the product to
version B.04.00, you must re-run the setup program to import the new
automount schema into the LDAP directory. The subsequent client
systems do not need to re-run the setup.
Schema
The following shows the RFC 2307-bis automount schema in the LDIF
format:
objectClasses: ( 1.3.6.1.1.1.2.16
NAME ’automountMap’
DESC ’Automount Map information’
SUP top STRUCTURAL
MUST automountMapName
56
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
MAY description
X-ORIGIN ’user defined’ )
objectClasses: ( 1.3.6.1.1.1.2.17
NAME ’automount’
DESC ’Automount information’
SUP top STRUCTURAL
MUST ( automountKey $ automountInformation )
MAY description
X-ORIGIN ’user defined’ )
attributeTypes: ( 1.3.6.1.1.1.1.31
NAME ’automountMapName’
DESC ’automount Map Name’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
X-ORIGIN ’user defined’ )
attributeTypes: ( 1.3.6.1.1.1.1.32
NAME ’automountKey’
DESC ’Automount Key value’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
X-ORIGIN ’user defined’ )
attributeTypes: ( 1.3.6.1.1.1.1.33
NAME ’automountInformation’
DESC ’Automount information’
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
X-ORIGIN ’user defined’ )
For Netscape Directory Server, each entry started by “attributetypes:”
or “objectclasses:” must be one continuous line.
An Example
The following shows an example of a direct AutoFS map, auto_direct,
stored in the LDAP directory server using new automount schema:
dn:automountMapName=auto_direct,dc=nishpind
objectClass: top
objectClass: automountMap
automountMapName: auto_direct
Chapter 2
57
Installing And Configuring LDAP-UX Client Services
AutoFS Support
dn:automountKey=/mnt_direct/test1,\
automountMapname=auto_direct, dc=nishpind
objectClass: top
objectClass: automount
automountInformation:hostA:/tmp
automountKey: /mnt_direct/test1
dn:automountKey=/mnt_direct/test2,\
automountMapname=auto_direct, dc=nishpind
objectClass: top
objectClass: automount
automountInformation:hostB:/tmp
automountKey:/mnt_direct/test2
The nisObject Automount Schema
The nisObject automount schema defines nisMap and nisObject
structures to represent the AutoFS maps and their entries. The AutoFS
maps are stored in the LDAP directory server using the nisMap and
nisObject structures.
An Example
The following shows an example of a direct AutoFS map, auto_direct,
stored in the LDAP directory server using the nisObject automount
schema:
dn:nisMapName=auto_direct,dc=nishpind
objectClass: top
objectClass: nisMap
nisMapName: auto_direct
dn:cn=/mnt_direct/test1, nisMapName=auto_direct, dc=nishpind
objectClass: top
objectClass: nisObject
nisMapName: auto_direct
cn: /mnt_direct/test1
nisMapEntry:hostA:/tmp
dn:cn=/mnt_direct/test2, nisMapname=auto_direct, dc=nishpind
objectClass: top
objectClass: nisObject
nisMapName: auto_direct
cn: /mnt_direct/test2
nisMapEntry:hostB:/tmp
58
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
Limitations
The nisObject automount schema contains three attributes, cn,
nisMapEntry and nisMapName. cn is an attribute that ignores
case-matching. Consider the following example:
# an indirect map named auto_test
test1
server1:/source
TEST1
server2:/source
In the above example, because the cn attribute is case-insensitive, the
LDAP considers “cn=TEST1, nisMapName=auto_test” to be a
redefinition of “cn=test1, nisMapName=auto_test”.
Using the nisObject automount map schema, capital letters are not
significant. In other words, if two keys have names that are only
different by the use of capital letters, then one of those entries will be
rendered inoperable because the other one is the only one that can be
retrieved.
NOTE
If you use the nisObject automount map schema, do not use any keys
that have capital letters and only differ from other keys by those capital
letters.
Obsolete Automount Schema
The obsolete automount schema is shipped with the Netscape Directory
Server version 6.x. You must manually delete it before the setup program
can successfully import the new automount schema into the LDAP
directory server.
Removing The Obsolete Automount Schema
Perform the following steps to delete the obsolete automount schema:
Step 1. Login to your Netscape Directory Server as root.
Step 2. Stop your Netscape Directory Server daemon, slapd.
/var/opt/netscape/servers/slapd-/stop-slapd
For example:
/var/opt/netscape/servers/slapd-ldapA.cup.hp.com/stop-slapd
Chapter 2
59
Installing And Configuring LDAP-UX Client Services
AutoFS Support
Step 3. Delete the following two entries in the
/var/opt/netscape/servers/slapd-/ \
config/schema/10rfc2307.ldif file. These two entries contain the
‘automountInformation’ attributetype and the ‘automount’ objectclass.
The data in these two entries define the obsolete automount schema. The
complete two entries are:
•
attributeTypes:( 1.3.6.1.1.1.1.25 NAME
’automountInformation’ DESC ’Standard LDAP attribute type’
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN ’RFC 2307’)
•
objectClasses:( 1.3.6.1.1.1.2.9 NAME ’automount’ DESC
’Standard LDAP objectclass’ SUP top MUST (cn
$automountInformation)MAY (description) X-ORIGIN ’RFC2307’)
Step 4. Restart the daemon, slapd. This is to ensure that the updated schema
file is recognized by the Netscape Directory Server.
/var/opt/netscape/servers/slapd-/restart-slap
d
For example:
/var/opt/netscape/servers/slapd-ldapA.cup.hp.com/restart-slapd
After you delete the obsolete automount schema, you must re-run the
setup program to import the new automount schema into the LDAP
directory server.
Attribute Mappings
LDAP-UX Client Services B.04.00 supports attribute mappings between
the new RFC 2307-bis automount schema and the nisObject automount
schema. This feature allows the directory administrators to use the
nisObject schema if they have already deployed it.
When both new automount schema and nisObject schema exist in the
LDAP directory server, if you choose to use the nisObject automount
schema, you must run the setup program using the custom configuration
to perform the attribute mappings and search filter changes for the
automount service. The attribute mappings include the following:
•
60
Remap the new automount attributes to the nisObject automount
attributes. The attribute mappings are done in step 10 of the Custom
Configuration. For detailed information on how to remap the
automunt attributes, see “Custom Configuration” on page 34.
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
Table 2-3 shows the attribute mappings:
Table 2-4
Attribute Mappings
New Automount Attribute
nisObject Automount
Attribute
automountMapname
nisMapname
automountKey
cn
automountInformation
nisMapEntry
•
Change the automount search filter for the automount service to the
nisObject search filter. LDAP-UX Client Services uses the
automount search filter for the automount service as a default. The
search filter change can be done in step 11 of the Custom
Configuration. If you want to create the nisObject search filter for
the automount service to search a different location in the LDAP
directory server, see “Custom Configuration” on page 34 for details.
If you want to perform attribute mappings or search filter changes by
using the Custom Configuration, ensure that you do not accept the
remaining default configuration parameters in step 4 of the Custom
Configuration.
NOTE
You can use the nisObject automount schema without attribute
mappings and search filter changes if only the nisObject automount
schema exists in the LDAP directory.
Configuring Name Service Switch
Configure the Name Service Switch (NSS) to enable the LDAP support
for AutoFS.
You can save a copy of /etc/nsswitch.conf file and modify the original
to add LDAP support to the automount service. See
/etc/nsswitch.ldap for a sample.
The following shows the sample file, /etc/nsswitch.ldap:
Chapter 2
61
Installing And Configuring LDAP-UX Client Services
AutoFS Support
passwd:
group:
hosts:
networks:
protocols:
rpc:
publickey:
netgroup:
automount:
aliases:
services:
files ldap
files ldap
dns files ldap
files ldap
files ldap
files ldap
ldap [NOTFOUND=return] files
files ldap
files ldap
files
files ldap
AutoFS Migration Scripts
This section describes the migration scripts which can be used to migrate
your AutoFS maps from files, NIS servers or NIS+ servers to LDIF files.
After LDIF files are created, you can use the ldapmodify tool to import
LDIF files to your LDAP directory server. These migration scripts use
the new automount schema defined in RFC 2307-bis to migrate the
AutoFS maps to LDIF. You need to import the new automount schema
into your LDAP directory server before you use these migration scripts to
migrate AutoFS maps.
Table 2-4 describes the migration scripts:
Table 2-5
Migration Scripts
Migration Script
Description
migrate_automount.pl
Migrates AutoFS maps from files to
LDIF.
migrate_nis_automount.pl
Migrates AutoFS maps from the NIS
server to LDIF.
migrate_nisp_autofs.pl
Migrates AutoFS maps from NIS+
server to the nisp_automap.ldif file.
Environment Variables
When you use the AutoFS migration scripts to migrate AutoFS maps, set
the following environment variables:
LDAP_BASEDN
62
The base distinguished name of the LDAP directory
that the AutoFS maps are to be placed in.
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
DOM_ENV
This only applies to the migrate_nisp_autofs.pl
script. This variable defines the fully qualified name of
the NIS+ domain where you want to migrate your data
from.
NIS_DOMAINNAME This only applies to the migrate_nis_automount.pl
script. This variable specifies the fully qualified name
of the NIS domain where you want to migrate your
data from. This variable is optional. If the NIS domain
name is not specified, LDAP-UX uses the value of the
NIS_DOMAIN parameter configured in the
/etc/rc.conf.d/namesvrs file.
Examples:
The following command sets the fully qualified name of the NIS+ domain
to “cup.hp.com”:
export DOM_ENV=”cup.hp.com”
The following command sets the fully qualified name of the NIS domain
to “india.hp.com”:
export NIS_DOMAINNAME=”india.hp.com”
The following command sets the base DN to “dc=cup, dc=hp, dc=com”:
export LDAP_BASEDN=”dc=cup, dc=hp, dc=com”
General Syntax For Migration Scripts
The migration scripts use the following general syntax:
scriptname inputfile outfile
where
Chapter 2
scriptname
Is the name of the particular script you are using.
inputfile
Is the fully qualified file name of the appropriate
AutoFS map that you want to migrate. For example,
/etc/auto_master.
outputfile
This only applies to the migrate_nis_automount.pl
and migrate_automount.pl scripts. This is optional
and is the name of the file where the LDIF is written.
stdout is the default output.
63
Installing And Configuring LDAP-UX Client Services
AutoFS Support
The migrate_automount.pl Script
This script, found in /opt/ldapux/migrate, migrates the AutoFS maps
from files to LDIF.
Syntax
scriptname inputfile outputfile
Examples
The following commands migrate the AutoFS map /etc/auto_direct
to LDIF and place the results in the /tmp/auto_direct.ldif file:
export LDAP_BASEDN=”dc=nishpind”
migrate_automount.pl /etc/auto_direct /tmp/auto_direct.ldif
The following shows the /etc/auto_direct file:
#local mount point
/mnt/direct/lab1
/mnt/direct/lab2
remote server:directory
hostA:/tmp
hostB:/tmp
The following shows the /tmp/auto_direct.ldif file:
dn:automountMapName=auto_direct,dc=nishpind
objectClass: top
objectClass: automountMap
automountMapName: auto_direct
dn:automountKey=/mnt_direct/lab1,\
automountMapname=auto_direct, dc=nishpind
objectClass: top
objectClass: automount
automountInformation:hostA:/tmp
automountKey: /mnt_direct/lab1
dn:automountKey=/mnt_direct/lab2,\
automountMapname=auto_direct, dc=nishpind
objectClass: top
objectClass: automount
automountInformation:hostB:/tmp
automountKey:/mnt_direct/lab2
64
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF
file /tmp/auto_direct.ldif that you just created above into the LDAP
directory. For example, the following command imports the
/tmp/auto_direct.ldif file to the LDAP base DN “dc=nishpind” in
the LDAP directory server LDAPSERV1:
/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D “cn=Directory
Manager” -w -f /tmp/auto_direct.ldif
Where options are:
-a Add a new entry into the LDAP directory
-h The LDAP directory host name
-D The Distinguish Name (DN) of the directory manager
-w The password of the directory manager
-f The LDIF file to be imported into the LDAP directory
Chapter 2
65
Installing And Configuring LDAP-UX Client Services
AutoFS Support
The migrate_nis_automount.pl Script
This script, found in /opt/ldapux/migrate, migrates the AutoFS maps
from the NIS server to LDIF.
Syntax
scriptname inputfile outputfile
Examples
The following commands migrate the AutoFS map /etc/auto_indirect
to LDIF and place the results in the /tmp/auto_indirect.ldif file:
export LDAP_BASEDN=”dc=nisserv1”
export NIS_DOMAINNAME=”cup.hp.com”
migrate_nis_automount.pl /etc/auto_indirect
/tmp/auto_indirect.ldif
The following shows the /etc/auto_indirect file:
#local mount point
lab1
lab2
remote server:directory
hostA:/tmp
hostB:/tmp
The following shows the /tmp/auto_indirect.ldif file:
dn:automountMapName=auto_indirect,dc=nisserv1
objectClass: top
objectClass: automountMap
automountMapName: auto_indirect
dn:automountKey=lab1,\
automountMapname=auto_indirect, dc=nisserv1
objectClass: top
objectClass: automount
automountInformation:hostA:/tmp
automountKey: lab1
dn:automountKey=lab2, \
automountMapname=auto_indirect, dc=nisserv1
objectClass: top
objectClass: automount
automountInformation:hostB:/tmp
automountKey:lab2
66
Chapter 2
Installing And Configuring LDAP-UX Client Services
AutoFS Support
You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF
file /tmp/auto_indirect.ldif that you just created above into the
LDAP directory. For example, the following command imports the
/tmp/auto_indirect.ldif file to the LDAP base DN “dc=nisserv1” in
the LDAP directory server LDAPSERV1:
/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D “cn=Directory
Manager” -w -f /tmp/auto_indirect.ldif
The migrate_nisp_autofs.pl Script
This script, found in /opt/ldapux/migrate/nisplusmigration,
migrates the AutoFS maps from the NIS+ server to the
nisp_automap.ldif file.
Syntax
scriptname inputfile
Examples
The following commands migrate the AutoFS map /etc/auto_indirect
to LDIF and place the results in the nisp_automap.ldif file:
export LDAP_BASEDN=”dc=nishpbnd”
export DOM_ENV =”cup.hp.com”
migrate_nisp_autofs.pl /etc/auto_indirect
The following shows the /etc/auto_indirect file:
#local mount point
lab1
lab2
remote server:directory
hostA:/tmp
hostB:/tmp
The following shows the nisp_automap.ldif file:
dn:automountMapName=auto_indirect,dc=nishpbnd
objectClass: top
objectClass: automountMap
automountMapName: auto_indirect
dn:automountKey=lab1, \
automountMapname=auto_indirect, dc=nishpbnd
objectClass: top
objectClass: automount
automountInformation:hostA:/tmp
automountKey: lab1
Chapter 2
67
Installing And Configuring LDAP-UX Client Services
Verify the LDAP-UX Client Services
dn:automountKey=lab2, \
automountMapname=auto_indirect, dc=nishpbnd
objectClass: top
objectClass: automount
automountInformation:hostB:/tmp
automountKey:lab2
You can use the /opt/ldapux/bin/ldapmodify tool to import the LDIF
file nisp_automap.ldif that you just created above into the LDAP
directory. For example, the following command imports the
nisp_automap.ldif file to the LDAP base DN “dc=nishpbnd” in the
LDAP directory server LDAPSERV1:
/opt/ldapux/bin/ldapmodify -a -h LDAPSERV1 -D “cn=Directory
Manager” -w -f nisp_automap.ldif
Verify the LDAP-UX Client Services
This section describes some simple ways you can verify the installation
and configuration of your LDAP-UX Client Services. You may need to do
more elaborate and detailed testing, especially if you have a large
environment.
If any of the following tests fail, see “Troubleshooting” on page 131.
Step 1. Use the nsquery(1)1 command to test the name service:
nsquery lookup_type lookup_query [lookup_policy]
For example, to test the name service switch to resolve a username
lookup, enter:
nsquery passwd username ldap
where username is the login name of a valid user whose posix account
information is in the directory. You should see output something like the
following depending on how you have configured /etc/nsswitch.conf:
1. nsquery(1) is a contributed tool included with the ONC/NFS product.
68
Chapter 2
Installing And Configuring LDAP-UX Client Services
Verify the LDAP-UX Client Services
Using "ldap" for the passwd policy.
Searching ldap for jbloggs
User name: jbloggs
user Id: 10000
Group Id: 2000
Gecos:
Home Directory: /home/jbloggs
Shell: /bin/sh
Switch configuration: Terminates Search
This tests the Name Service Switch configuration in /etc/nsswitch.conf. If
you do not see output like that above, check /etc/nsswitch.conf for proper
configuration.
Step 2. Use other commands to display information about users in the directory,
making sure the output is as expected:
pwget -n username
nsquery hosts host_to_find
grget -n groupname
ls -l
NOTE
While you can use the following commands to verify your configuration,
these commands enumerate the entire passwd or group database, which
may reduce network and directory server performance for large
databases:
pwget (with no options)
grget (with no options)
listusers
logins
Step 3. Use the beq search utility to search for the following services: pwd
(password), grp (group), shd (shadow password), srv (service), prt
(protocol), rpc (RPC), hst (host), net (network), ngp (netgroup), and grm
(group membership). An example beq command using name as the
search key, grp as the service, and ldap as the library is shown below.
./beq -k n -s grp -l /usr/lib/libnss_ldap.1 nss_status........
NSS_SUCCESS
pw_name...........(iuser1)
pw_passwd.........(*)
pw_uid............(101)
pw_gid............(21)
pw_age............()
Chapter 2
69
Installing And Configuring LDAP-UX Client Services
Verify the LDAP-UX Client Services
pw_comment........()
pw_gecos..........(gecos data in files)
pw_dir............(/home/iuser1)
pw_shell..........(/usr/bin/sh)
pw_audid..........(0)
pw_audflg.........(0)
Refer to “beq Search Tool” in Chapter 4 for command syntax and
examples.
Step 4. Log in to the client system from another system using rlogin or telnet.
Log in as a user in the directory and as a user in /etc/passwd to make
sure both work.
Step 5. Optionally, test your pam_authz authorization configuration:
If the pam_authz is configured without the pam_authz.policy file,
verify the followings:
•
•
logging into the client system from another system using rlogin or
telnet with a user name that is a member of a +@netgroup in the
directory to make sure the user will be allowed to log in.
logging in as a user that is a member of a -@netgroup to be sure that
the user will not be allowed to login.
If the pam_authz is configured with the pam_authz.policy file, verify
the followings:
•
•
logging into the client system with a user name that is covered by an
allow access rule in the policy file. Make sure the user will be
allowed to log in.
logging in as a user that is covered by a deny access rule in the
policy file. Make sure the user can not login to the client system.
Step 6. Open a new hpterm(1X) window and log in to the client system as a user
whose account information is in the directory. It is important you open a
new hpterm window or log in from another system because if login
doesn’t work, you could be locked out of the system and would have to
reboot to single-user mode.
This tests the Pluggable Authentication Module (PAM) configuration in
/etc/pam.conf. If you cannot log in, check /etc/pam.conf for proper
configuration. Also check your directory to make sure the user’s account
information is accessible by the proxy user or anonymously, as
appropriate. Check your profile to make sure it looks correct. See also
Troubleshooting in this chapter for more information.
70
Chapter 2
Installing And Configuring LDAP-UX Client Services
Verify the LDAP-UX Client Services
Step 7. Use the ls(1) or ll(1) command to examine files belonging to a user whose
account information is in the directory. Make sure the owner and group
of each file are accurate:
ll /tmp
ls -l
If any owner or group shows up as a number instead of a user or group
name, the name service switch is not functioning properly. Check the file
/etc/nsswitch.conf, your directory, and your profile.
If you want to verify that you set up X.500 group membership correctly,
follow these steps:
1. Create a valid posix user and group. Add this user as a member of
this group using the attribute “member” instead of “memberuid”.
Here is an example ldif file specifying xuser2 as a member of the
group xgrpup1:
#cat example_ids.ldif
dn: cn=xgroup1,ou=Groups,o=hp.com
objectClass: posixGroup
objectClass: groupofnames
objectClass: top
cn: xgroup1
userPassword: {crypt}*
gidNumber: 999
member: uid=xuser2,ou=People,o=hp.com
dn: uid=xuser2,ou=People,o=hp.com
uid: xuser2
cn: xuser2
objectClass: top
objectClass: account
objectClass: posixAccount
userPassword: {crypt}xxxxxxxxxxxxx
loginShell: /bin/ksh
uidNumber: 9998
gidNumber: 999
homeDirectory: /home/xuser2
2. Make sure that the file /etc/nsswitch.conf specifies ldap for group
service:
#cat /etc/nsswitch.conf
:
Chapter 2
71
Installing And Configuring LDAP-UX Client Services
Configure Subsequent Client Systems
:
group: files ldap
:
:
3. Verify:
#grget -n xgroup1
xgroup1:*:999: xuser2
If xuser2 shows up as a member of xgroup1, then your setup is
correct.
Configure Subsequent Client Systems
Once you have configured your directory and one client system, you can
configure subsequent client systems using the following steps. Modify
any of these files as needed.
Step 1. Use swinstall to install LDAP-UX Client Services on the client system.
This does not require rebooting the client system.
Step 2. Copy the following files from a configured client to the client being
configured:
•
•
•
•
•
•
/etc/opt/ldapux/ldapux_client.conf
/etc/opt/ldapux/pcred only if you have configured a proxy user, not if
you are using only anonymous access
/etc/pam.conf
/etc/nsswitch.conf
/etc/opt/ldapux/acred if the /etc/opt/ldapux/acred file exists
cert7.db or cert8.bd and key3.db flles if SSL is enabled
Set all file access mode permission to be the same as those of the first
client being configured.
Step 3. Download the profile by running get_profile_entry as follows:
cd /opt/ldapux/config
./get_profile_entry -s nss
72
Chapter 2
Installing And Configuring LDAP-UX Client Services
Configure Subsequent Client Systems
Alternatively you could interactively run the setup program to download
the profile from the directory and respond “no” when asked if you want to
change the current configuration:
cd /opt/ldapux/config
./setup
Step 4. If you are using a proxy user, configure the proxy user by calling
ldap_proxy_config as follows:
cd /opt/ldapux/config
./ldap_proxy_config
Step 5. “Verify the LDAP-UX Client Services” on page 68.
Chapter 2
73
Installing And Configuring LDAP-UX Client Services
Download the Profile Periodically
Download the Profile Periodically
Setup allows you to define a time interval after which the current profile
is being automatically refreshed. The start time for this periodic refresh
is defined by the time the setup program was run and the value defined
for ProfileTTL. Therefore, it does not allow you to define a specific time of
day when the profile should be downloaded (refreshed). For more
detailed information, refer to the ldapclientd(1) man page.
If you would like to manually control when you want to download the
profile, you can use the following steps:
Step 1. When creating your profile entry using setup, set the ProfileTTL value to
0.
Step 2. Using the command get_profile_entry -s nss, write a shell script
that downloads the profile. Below is an example that downloads the
profile from the directory. Modify this example for your environment. It
also compares the new and old profiles and emails a status message:
#!/bin/ksh
cp /etc/opt/ldapux/ldapux_profile.ldif /etc/opt/ldapux/ldapux_profile.sav
/opt/ldapux/config/get_profile_entry -s nss 2>&1>/tmp/profile.upd$$
diff /etc/opt/ldapux/ldapux_profile.ldif /etc/opt/ldapux/ldapux_profile.sav\
>> /tmp/profile.upd$$
if [ -s /tmp/profile.upd$$ ]; then
cat /tmp/profile.upd$$ | mailx -s "Profile cache refreshed." root@sys01
else
echo "No changes." | mailx -s "Profile cache refreshed." root@sys01
fi
rm -f /etc/opt/ldapux/ldapux_profile.sav
rm -f /tmp/profile.upd$$
Step 3. Create a crontab(1) file (or edit your existing crontab file) and specify
how frequently you want the profile to be downloaded. For example,
assuming the script above is in the file /ldapux/download_ldap_profile,
the following crontab specification specifies that
/ldapux/download_ldap_profile be executed nightly at midnight:
0 0 * * * /ldapux/download_ldap_profile
Step 4. Log in as root and schedule the job with the crontab(1) command. For
example, assuming the crontab entry above is in the file crontab.profile,
the following schedules the profile downloading:
74
Chapter 2
Installing And Configuring LDAP-UX Client Services
Download the Profile Periodically
crontab crontab.profile
Chapter 2
75
Installing And Configuring LDAP-UX Client Services
Use r-command for PAM_LDAP
Use r-command for PAM_LDAP
An enhancement has been implemented to the LDAP-UX Client Services
B.03.20, so that r-commands can work with LDAP account users whose
password is hidden, or not in clear text or crypt syntax.
If you want to use this new fearture, use the following steps:
1. Uncomment out the following line in the
/etc/opt/ldapux/ldapux_client.conf file:
#password_as = “x”
2. On the HP-UX 11.0 or 11i v1 client system, modify account
management session in /etc/pam.conf file for pam_ldap to add
“rcommand” option as shown below:
# Account management
#
login
login
su
su
dtlogin
dtlogin
dtaction
dtaction
ftp
ftp
OTHER
OTHER
account
account
account
account
account
account
account
account
account
account
account
account
sufficient
required
sufficient
required
sufficient
required
sufficient
required
sufficient
required
sufficient
required
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ldap.1 rcommand
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ldap.1
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ldap.1
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ldap.1
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ldap.1
/usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ldap.1 rcommand
On the HP-UX 11i v2 client system, you will modify account
management session in /etc/pam.conf file for pam_ldap to add
“rcommand” option as follows:
# Account management
#
login
login
login
su
su
su
76
account
account
account
account
account
account
required
sufficient
required
required
sufficient
required
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1 rcommand
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1
Chapter 2
Installing And Configuring LDAP-UX Client Services
Use r-command for PAM_LDAP
dtlogin
dtlogin
dtlogin
dtaction
dtaction
dtaction
ftp
ftp
ftp
rcomds
rcomds
rcomds
sshd
sshd
sshd
OTHER
OTHER
CAUTION
Chapter 2
account
account
account
account
account
account
account
account
account
account
account
account
account
account
account
account
account
required
sufficient
required
required
sufficient
required
required
sufficient
required
required
sufficient
required
required
sufficient
required
sufficient
required
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1 rcommand
libpam_hpsec.so.1
libpam_unix.so.1
libpam_ldap.so.1
libpam_unix.so.1
libpam_ldap.so.1
Setting user password to be returned as any string for the hidden
password, and turning on the “rcommand” option for pam_ldap
account management could allow users with active accounts on a
remote host to rlogin to the local host on to a disabled account.
77
Installing And Configuring LDAP-UX Client Services
Use r-command for PAM_LDAP
78
Chapter 2
3
LDAP Printer Configurator
Support
This chapter contains information describing how LDAP-UX supports
the printer configurator, how to set up the printer schema, and how to
configure the printer configurator to control its behaviors.
This chapter contains the following sections:
•
•
•
•
•
•
Chapter 3
“Overview” on page 80.
“How the LDAP Printer Configurator works” on page 82.
“Printer Configuration Parameters” on page 85.
“Printer Schema” on page 86.
“Managing the LP printer configuration” on page 88.
“Limitations of Printer Configurator” on page 91.
79
LDAP Printer Configurator Support
Overview
Overview
Management of network printing is complex, and printers themselves
are more complicated. Instead of having printer configuration and
information scattered over client systems and printer servers, they can
be stored and managed from a single repository. LDAP is suited to build
a backend printer configuration database. LDAP-UX enables the
centralized management of printers, and the printer entries can easily be
distributed to clients to reduce concerns about synchronization of
configuration information. LDAP-UX comes with a printer configurator
to consolidate printer configuration and control of printer devices into
the LDAP Directory Server for a central location of printer management.
Definitions
Printer Services
HP-UX provides LP spooler system with the LP subsystem to manage
printers and print services requests. The LP subsystem is a collection of
18 programs that operate on the resources (files and subdirectories) in
LP spool directory to perform their functions, such as lpadmin,
rlpdaemon programs, and lp command.
Printing Protocol
The LP spooler system has built-in support for sending jobs to other
hosts that running rlpdaemon. rlpdaemon is a line printer daemon
(LPD) for handling remote spool requests. This feaure enables the user to
install a printer on one host and make it accessible from other hosts. It
also works with printers/printservers that have network interfaces that
support the LDP protocol. The LPD network printing protocol is the
widely used network printing protocol in the UNIX world.
LP Printer types
The LP spooler supports the following three types of printers:
80
•
A network printer which is a printer connected to a network
interface or printserver.
•
A remote printer is a printer configured on a system other than the
one you are logged into when you submit a print request.
Chapter 3
LDAP Printer Configurator Support
Overview
•
NOTE
Chapter 3
A local printer which is a printer that is directly connected to your
system.
The LDAP printer configurator only supports the HP LP spooler system,
remote printers, network printers and printerservers that support Line
Printer Daemon (LPD) protocol. It does not support local printers.
81
LDAP Printer Configurator Support
How the LDAP Printer Configurator works
How the LDAP Printer Configurator works
The Printer Configurator is a service daemon which provides the
following functions:
•
Periodically searches the existing printer entries stored in LDAP
Directory Server
•
Compares the search result with the master printer record file on
each scheduled ldapsearch
•
Adds the print configuration to client system for each new printer
•
Deletes the printer from the client system for each removed printer
•
Updates master printer record file
When ldapclientd is initialized, it will enable the printer configurator
sevices at the same time. Once the printer configurator is up, it
periodically searches for any existing printer entries in the LDAP
Direcotry Server based on a predefined search filters. If there are any
printer entries in the LDAP Directory Server, the printer configurator
will extract the LP printer configuration from each printer entry.
Then, the printer configurator compares the printer configuration with
the current LP printer configuration in the client system. The result of
comparison will generate a list of new or removed printers. For a new
printer, the printer configurator adds this printer to the LP printer spool
of the client which is running the printer configurator. For a removed
printer, the printer configurator deletes this printer from the LP printer
spool of the client.
With the printer configurator, if a printer administrator attempts to
remove or add a printer, all the administrator has to do is to add or delete
the printer entry in the LDAP Directory Server. The printer
configuration will be updated automatically without manually setting
the printers on each client system.
82
Chapter 3
LDAP Printer Configurator Support
How the LDAP Printer Configurator works
NOTE
Chapter 3
The system administrator manually adds or removes printers to the
HP-UX system. The LDAP Printer Configurator will only add or remove
printers that it has discovered in the LDAP directory according to the
search filter defined for the printer.
83
LDAP Printer Configurator Support
How the LDAP Printer Configurator works
Figure 3-1
84
Printer Configurator Architecture
Chapter 3
LDAP Printer Configurator Support
Printer Configuration Parameters
Printer Configuration Parameters
The LDAP-UX Client Services provides four printer configuration
parameters, start, search_interval , max_printers and
lpadmin_option available for you to customize and control the
behaviors of the printer configurator. These parameters are defined in
the ldapclientd.conf file. For detailed information on these new
parameters, refer to Chapter 4, “Administering LDAP-UX Client
Services,” on page 93.
Chapter 3
85
LDAP Printer Configurator Support
Printer Schema
Printer Schema
The new printer schema,
IETF, is used to create the
printer objects that are relevant to the printer configurator services. The
draft printer schema can be obtained from IETF web site at
http://www.ietf.org. For the detailed structure information of the new
printer schema, see Appendix C. You must import the new printer
schema into the LDAP Directory Server to create new printer objects.
NOTE
The LDAP printer configurator supports any Directory Servers that
support the LDAP printer schema based on
IETF.
An Example
The following shows a typical printer object entry:
dn: printer-name=printer1,ou=printers,dc=cup,dc=hp,dc=com
objectclass: top
objectclass: printerabstract
objectclass: printerservice
objectclass: printerlpd
printer-name: lj81003
printer-uri: lpd://hostA.hp.com/lj81003
printer-location: 47L
printer-make-model: hp laser jet 81003
printer-service-person: John Louie
With the new printer schema, you are able to create printer objects for
the LP printer configuration.The minimum information for a printer
object entry is the local printer name, remote hostname, and the remote
printer name. The remote hostname is the system or device that the
remote printer is connected to. The remote hostname must be the fully
qualified name.
86
Chapter 3
LDAP Printer Configurator Support
Printer Schema
The printer-name attribute provides information of local printer name,
the printer-uri attribute identifies the remote hostname and the
remote printer name information. URI stands for uniform resources
identifier. The syntax of URI is based on RFC 2396. The following shows
an example of the printer-uri attribute:
printer-uri: lpd://hostA.hp.com/lj2004
Chapter 3
87
LDAP Printer Configurator Support
Managing the LP printer configuration
Managing the LP printer configuration
The LDAP-UX Client Services provide the printer configurator
integration; the product daemon automatically updates the remote LP
printer configuration of a client system based on the available printer
objects in the Directory Server. The printer configurator provides the
printer configuration management; it verifies if the printer configuration
has any conflict with the LP printer configurations in the client system
before it actually adds or deletes a printer.
Following are five examples to show how the LDAP printer configurator
provides central management of printer services based on the printer
objects stored in the Directory Server:
Example 1:
An administrator sets up a new printer located in the Engineering Lab
and wants this printer to be shared. This printer is physically connected
to a system hostA and is set up as a local printer lj2004. The
administrator creates a new printer entry in the directory server as
follow:
dn: printer-name=laser2,ou=printers,dc=hp,dc=com
printer-name: laser2
printer-uri: lpd://hostA.hp.com/lj2004
A new printer configuration for laser2 is created automatically in every
client system if the LDAP printer configurator is running. The print
queue for laser2 is enabled and ready to accept print jobs. Users can
sent their print jobs to laser2 by typing lp -dlaser2 filename.
Example 2:
IT department would like to store additional service information in the
printer object. The administrator modifies the printer object by adding
more printer attributes. The modified content of the printer object is
shown as below:
dn: printer-name=laser2,ou=printers,dc=hp,dc=com
printer-name: laser2
printer-uri: lpd://hostA.cup.hp.com/lj2004
printer-location: Engineering Lab
printer-model: Hewlett Packard laserjet Model 2004N
printer-service-person: David Lott
88
Chapter 3
LDAP Printer Configurator Support
Managing the LP printer configuration
Since the local printer name, remote hostname, remote printer name,
and the printing protocol information are still the same, the LDAP
Printer Configurator will not change the current remote LP printer
configuration for laser2.
Example 3:
The system hostA.hp.com is retired. The Laserjet 2004 printer is now
connected to system hostC and set up as a local LP printer lj2004.
The administrator should update the printer object by changing the
value in printer-uri attribute. The following shows the updated
information of print objects:
dn: printer-name=laser2,ou=printers,dc=hp,dc=com
printer-name: laser2
printer-model: Hewlett Packard laserjet Model 2004N
printer-service-person: David Lott
The current remote LP laser2 printer configuration is removed from
the client system, and the new laser2 printer configuration with new
remote hostname information is added to the client system. In fact, if
either remote hostname or remote printer name of printer-uri
attribute is modified, the printer configurator will remove the current
remote LP printer configuration and create the new printer configuration
with the updated resource information.
Example 4:
The remote LP printer, laser2, no longer supports LPD printing
protocol. IPP printing protocol is implemented instead. The
administrator updated the printer object by changing the printing
protocol to IPP. The following shows the updated printer objects in the
directory server:
dn: printer-name=laser2,ou=printers,dc=hp,dc=com
printer-name: laser2
printer-uri: ipp://hostC.hp.com/lj2004
printer-location: Engineering Lab
printer-model: Hewlett Packard laserjet Model 2004N
printer-service-person: David Lott
IPP printing protocol is not supported by the LP spool printing system.
The only action that the LDAP printer configurator will take is to
remove the current laser2 printer configuration on the client system.
Example 5:
Chapter 3
89
LDAP Printer Configurator Support
Managing the LP printer configuration
The administrator created a new printer object in the directory server as
below:
dn: printer-name=laser8,ou=printers,dc=hp,dc=com
printer-name: laser8
printer-uri: lpd://hostD.hp.com/lj81003
In this example, the printer configurator adds a new remote LP laser8
printer configuration to the client system.
However, if the user attempts to remove the laser8 printer
configuration manually, the printer configuration will no longer be
managed by the printer configurator. The user has to recreate the printer
configuration manually in case the laser8 printer is needed. The
printer configurator does not try to create the printer configuration even
though the printer object of laser8 still exists in the directory server.
If the user manually adds a remote LP printer configuration to the
client system, the new printer configuration will not be managed by the
printer configurator. The user has to remove the printer configuration
manually if the remote LP printer is no longer needed.
90
Chapter 3
LDAP Printer Configurator Support
Limitations of Printer Configurator
Limitations of Printer Configurator
Chapter 3
•
The new LDAP printer schema based on
IETF is imported into the
LDAP Directory Server to create the printer objects.
•
LDAP-UX Client Services only suports the HP-UX LP spooler
system, network printers, and printerservers that support Line
Printer Daemon (LPD) protocol. The printer configurator does not
support local printers.
•
In a global management envoriment, it is hard to determine a
default printer for the individual client system. The LDAP printer
configurator treats every printer entry as the regular printer. The
administrator or user requires to manually select a printer as a
default printer for the client system.
91
LDAP Printer Configurator Support
Limitations of Printer Configurator
92
Chapter 3
4
Administering LDAP-UX Client
Services
This chapter describes how to keep your clients running smoothly and
expand your computing environment. It describes the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Chapter 4
“Using The LDAP-UX Client Daemon” on page 94
“Integrating with Trusted Mode” on page 105
“PAM_AUTHZ Login Authorization Enhancement” on page 109
“Adding a Directory Replica” on page 118
“Displaying the Proxy User’s DN” on page 119
“Verifying the Proxy User” on page 120
“Creating a New Proxy User” on page 120
“Displaying the Current Profile” on page 121
“Creating a New Profile” on page 121
“Modifying a Profile” on page 122
“Changing Which Profile a Client Is Using” on page 122
“Changing from Anonymous Access to Proxy Access” on page 123
“Changing from Proxy Access to Anonymous Access” on page 123
“Performance Considerations” on page 125
“Client Daemon Performance” on page 126
“Troubleshooting” on page 131
93
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
Using The LDAP-UX Client Daemon
This section describes the following:
•
the steps required to activate the client daemon
•
an explanation of the administration tool ldapclientd, along with
the configuration file ldapclientd.conf
Overview
The LDAP-UX client daemon enables LDAP-UX clients t o work with
LDAP directory servers. It caches entries, supports multiple domains in
the Windows 2000/2003 Active Directory Server (ADS), supports X.500
group membership, automatically downloads the configuration profiles,
reuses connections to the LDAP Directory Server, and manages the
remote LP printer configuration.
The client daemon enables LDAP-UX to use multiple domains for
directory servers like Active Directory Server (ADS). The daemon also
allows PAM Kerberos to authenticate posix users stored in multiple
domains.
Automatic Profile Downloading updates the LDAP client configuration
profile by downloading a newer copy from the directory server as the
profileTTL (Time To Live) expires.
By default, the LDAP printer configurator is enabled, the client daemon,
ldapclientd, automatically searches printer objects configured in the
LDAP server and executes lpshut, lpadmin and lpsched commands to
add, modify, and remove printers accordingly for the local system.
By default, ldapclientd starts at system boot time. The ldapclientd
command can also be used to launch the client daemon manually, or
control it when the daemon is already running. Please refer to the
following section and the ldapclientd man page(s) for information
about the ldapclientd command and its parameters.
94
Chapter 4
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
IMPORTANT
Starting with LDAP-UX Client Services B.03.20 or later, the client
daemon, /opt/ldapux/bin/ldapclientd, must be running for
LDAP-UX functions to work. With LDAP-UX Client Services B.03.10 or
earlier, running the client daemon, ldapclientd, is optional.
ldapclientd
Starting the client
Use the following syntax to start the client daemon. Note the use of
upper and lower-case characters:
/opt/ldapux/bin/ldapclientd <[-d ] [-o]\
[-z]
Controlling the client
Use the following syntax to control the client daemon:
/opt/ldapux/bin/ldapclientd <[-d ] [-o]>
/opt/ldapux/bin/ldapclientd <[-D ]|-E |-S [cache]>
/opt/ldapux/bin/ldapclientd <-f| -k| -L| -h| -r>
Client Daemon performance
Performance (client response time) is improved by the use of two
techniques:
1. Caching entries to reduce the LDAP-UX client response time while
retrieving the following:
passwd
group
netgroup
X.500 group membership
automount
2. Reusing and maintaining connections to the directory server. The
reduction in bindings and disconnections significantly reduces the
load on server and network traffic.
Chapter 4
95
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
For more information on the client daemon performance, see “Client
Daemon Performance” on page 126.
Command options
Please refer to the ldapclientd man page(s) for option information.
Diagnostics
By default, errors are logged into syslog if the system log is enabled in
the LDAP-UX client startup configuration file
/etc/opt/ldapux/ldapux_client.conf. Errors occuring before
ldapclientd forks into a daemon process leaves an error message
directly on the screen.
The following diagnostic messages may be issued:
Message: Already running.
Meaning: An attempt was made to start an LDAP Client Daemon when
one was already running.
Message: Cache daemon is not running (or running but not ready).
Meaning: This message can mean several things:
1. Attempted to use the control option features of ldapclientd when
no ldapclientd daemon process was running, to control.
2. Attempted to start, or control, ldapclientd without superuser’s
privilege.
3. The ldapclientd daemon process is too busy with other requests to
respond at this time. Try again later.
Message: Problem reading configuration file.
Meaning: The /etc/opt/ldapux/ldapclientd.conf file is missing or has a
syntax error. If the problem is with its syntax, the error message will be
accompanied by a line showing exactly where it could not recognize the
syntax, or where it found a setting which is out of range.
Warnings
Whenever the system is rebooted, ldapclientd launches if
[StartOnBoot] has the parameter enabled=yes in the file
/etc/opt/ldapux/ldapclientd.conf (the ldapclientd configuation file).
96
Chapter 4
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
Downloading profiles takes time, depending on the server’s response
time and the number of profiles listed in the LDAP-UX startup file
/etc/opt/ldapux/ldapux_client.conf.
ldapclientd.conf
The file ldapclientd.conf is the configuration file for
/opt/ldapux/bin/ldapclientd, the LDAP Client Daemon. Refer to the
previous section for more information about the Client Daemon.
Missing settings
ldapclientd uses the default values for any settings which may be
missing from the configuration file.
Configuration file syntax
# comment
[section]
setting=value
setting=value
. . .
[section]
setting=value
setting=value
. . .
Where:
Chapter 4
comment
ldapclientd ignores any line beginning with a #
delimiter.
section
Each section is configured by setting=value
information underneath. The section name must be
enclosed by brackets (“[ ]”) as delimiters. Valid section
names are:
- StartOnBoot
- general
- passwd
- group
- netgroup
- uiddn
- domain_pwd
- domain_grp
97
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
- automount
- automountMap
- printers
setting
This will be different for each section.
value
Depending on the setting, this can be
.
Section details Within a section, the following syntax applies:
[StartOnBoot]
Determines if ldapclientd starts automatically when
the system boots.
setting=value:
enable=
By default, this is enabled after LDAP-UX has been
configured by the LDAP-UX setup program
/opt/ldapux/config/setup.
[general]
Any cache setting defined here will be used as the
default setting for all caches (passwd, group, netgroup,
uiddn, domain_pwd and domain_grp).
setting=value:
max_conn=<2-500>
The maximum number of connections ldapclientd
can establish to the directory server (or multiple
servers when in a multi-domain environment.
The default value is 100.
connection_ttl=<1-2147483647>
The number of seconds before an inactive connection to
the directory server is brought down and cleaned up.
The default value is 300.
num_threads=<1-100>
The number of client request handling threads in
ldapclientd.
The default value is 10.
socket_cleanup_time=<10-2147483647>
The interval, in seconds, before the next attempt to
clean up the socket files created by any LDAP-UX
client applications that were terminated abnormally.
The default value is 300.
98
Chapter 4
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
cache_cleanup_time=<1-300>
The interval, in seconds, between the times when
ldapclientd identifies and cleans up stale cache
entries.
The default value is 10.
update_ldapux_conf_time=<10-2147483647>
This determines how often, in seconds, ldapclientd
re-reads the /etc/opt/ldapux/ldapux_client.conf client
configuration file to download new domain profiles.
The default value is 600 (10 minutes).
cache_size=<102400-1073741823>
The maximum number of bytes that should be cached
by ldapclientd. This value is the maximum, upper
limit, of memory that can be used by ldapclientd. If
this limit is reached, new entries are not cached until
enough expired entries are freed to allow it.
The default value is 10000000.
state_dump_time=<0-2147483647>
As state, functions like a virtual between the client and
LDAP server, is created for setXXent() request, and
stays for the subsequent getXXent() requests. If no
get requests are received in the specified time interval
(in seconds), the state will be removed. The default
value is 300 (in seconds).
max_enumeration_states=<0-95>[%]
The maximum number of states that ldapclientd
allows. It means the number of enumeration
ldapclientd will handle simultaneously. This number
must be less than max_conn and it is configured as a
percentage of max_conn. The minimum value is 0%
and maximum value is 95%. The default value is 80%.
A value of 0% disables enumeration.
poscache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. There is no [general] default value
for this setting. Each cache section has its own default
values (listed below). Specifying a value under
[general] will override poscache_ttl defaults in
other sections (where there is no specific poscache_ttl
definitions for that section).
Chapter 4
99
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache. There is no [general] default
value for this setting. Each cache section has its own
default value.
[passwd]
Cache settings for the passwd cache (which caches
name, uid and shadow information).
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. If the cache is not enabled, ldapclientd
will query the directory server for any entry request
from this section. Since this impacts LDAP-UX client
performance and response time, by default, caching is
enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. Since personal data can change
frequently, this value is typically smaller than some
others.
The default value is 120 (2 minutes)
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 240 (4 minutes).
[group]
Cache settings for the group cache (which caches name,
gid and membership information).
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. Since people are added and removed
from groups occasionally, this value is not typically
large.
The default value is 240 (4 minutes)
100
Chapter 4
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 240 (4 minutes).
[netgroup]
Cache settings for the netgroup cache.
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. Since people are added and removed
from groups occasionally, this value is not typically
large.
The default value is 240 (4 minutes)
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 240 (4 minutes).
[uiddn]
This cache maps a user’s UID to their DN from the
directory.
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. Typically, once added into a
directory, the user’s DN rarely changes.
The default value is 86400 (24 hours).
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 84400 (24 hours).
[domain_pwd]
Chapter 4
This cache maps user names and UIDs to the domain
holding its entry.
101
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. Since new domains are rarely added
to or removed from the forest, the cache is typically
valid for a long time.
The default value is 86400 (24 hours)
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 86400 (24 hours).
[domain_grp]
This cache maps group names and GUIDs to the
domain holding its entry.
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. Since new domains are rarely added
to or removed from the forest, the cache is typically
valid for a long time.
The default value is 86400 (24 hours).
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 86400 (24 hours).
[automount]
Cache settings for the automount entry cache (which
caches automount entries in automount maps).
A positive cache means that the automount entry data
has been recently retrieved from the LDAP directory
server and is stored in the positive cache locally.
102
Chapter 4
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
A negative cache is used to store the automount entry
data about non-existent information. For example, if a
user requests information about an automount entry
that does not exist, the LDAP directory server will not
return an entry, all the negative result will be stored in
the negative cache.
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. The default value is 1800 (30
minutes).
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 1800 (30 minutes).
[automountMap] Cache settings for the automount map cache.
setting=value
enable=
ldapclientd only caches entries for this section, when
it is enabled. By default, caching is enabled.
poscache_ttl=<0-2147483647>
The time, in seconds, before a cache entry expires from
the positive cache. The default value is 1800 (30
minutes).
negcache_ttl=<1-2147483647>
The time, in seconds, before a cache entry expires from
the negative cache.
The default value is 7200 (2 hours).
[printers]
Any printer setting defined here will be used by the
LDAP printer configurator.
start=
Determines if the printer configurator service will start
when ldapclientd is initialized. If it is enabled, the
Chapter 4
103
Administering LDAP-UX Client Services
Using The LDAP-UX Client Daemon
printer configurator will start when ldapclientd is
initialized. By default, the start parameter is
enabled.
search_interval=<1800-1209600>
Defines the interval, in seconds, before the printer
configurator performs a printer search in the directory
server. The default value is 86400 (in seconds). The
minimum value is 1800 (30 minutes) and the
maximum value is 1209600 (2 weeks).
max_printers=<10-500>
Defines the maximum printer objects that printer
configurator services will handle. For example, a
number of 100 printer entries is returned to the printer
configurator after a scheduled printer search. If the
max_printers value is set to 50, only the first 50
printer entries received by the printer configurator will
be processed. For this configuration parameter, the
minimum value is 10 and the maximum value is 500.
The default value is 50.
lpadmin_option
Defines the lpadmin options. Do not include the -p,
-orm and -orp options in the option fields. The LDAP
printer configurator provides the required information
of printer name (-p), remote machine name (-orm) and
remote printer name (-orp) during the run time. Do
not include any other parameters, such as stderr or
stdout redirection options. If the option fields of the
lpadmin_option parameter are empty or the
lpadmin_option parameter does not exist, the default
lpadmin options are used. By default,
lpadmin_option = -mrmodel -v/dev/null
-ocmrcmodel -osmrsmodel.
Configuration File
The LDAP client configuration file is automatically loaded when the
product is installed. Refer to the man page for additional information.
If you update LDAP-UX Client Services from an older version, such as
B.03.00 or B.03.10, the new configuration file will be
/opt/ldapux/newconfig/etc/opt/ldapux/ldapclientd.conf.
104
Chapter 4
Administering LDAP-UX Client Services
Integrating with Trusted Mode
Integrating with Trusted Mode
This section describes features and limitations, PAM configuration
changes and configuration parameter for integrating LDAP-UX with
Trusted Mode.
Overview
LDAP-UX Client Services B.03.30 or later supports coexistence with
Trusted Mode. This means that local-based accounts can benefit from the
Trusted Mode security policies, while LDAP-based accounts benefit from
the security policies offered by the LDAP server. This release of
LDAP-UX also enables LDAP-based and local-based accounts to be
audited on the Trusted Mode.
The coexistence of LDAP-UX and Trusted Mode supports certain
security features, but also has limitations and usage requirements that
you need to be aware of. For detailed information, see “Features and
Limitations” on page 105.
Features and Limitations
This subsection describes features and limitations of integrating
LDAP-UX with Trusted Mode.
Auditing
Integrating LDAP-UX with Trusted Mode enables accounts stored in the
LDAP directory to login to a local host and to be audited on the Trusted
Mode. The following describes the auditing features and limitations. To
use these security features, you must enable the audit subsystem on the
Trusted Mode local host:
Chapter 4
•
Auditing of both LDAP-based and local-based (/etc/passwd)
accounts is possible. By default, auditing is disabled for all
LDAP-based accounts. However, you can use the audusr (option -a
or -d) command to alter the auditing flag for individual LDAP-based
account.
•
For LDAP-based accounts that are not yet known to the system, you
can configure an initial setting for the auditing flag. You can
configure this flag such that when an account becomes known to the
105
Administering LDAP-UX Client Services
Integrating with Trusted Mode
system for the first time, auditing for that account is immediately
enabled or disabled. This flag is defined as the
initial_ts_auditing parameter in the
/etc/opt/ldapux/ldapux_client.conf file.
•
You must manage Trusted Mode attributes for all accounts on each
host. Trusted Mode attributes for LDAP-based accounts are not
stored in the LDAP directory server. For example, enabling auditing
for an account on host A does not enable auditing on host B.
•
Audit IDs for LDAP-based accounts are unique on each system.
Audit IDs are not synchronized across hosts running in the Trusted
Mode.
•
When an LDAP-based account name is changed, a new audit ID is
generated on each host that the account is newly used on. The initial
auditing flag is reset to the default value defined in the
/etc/opt/ldapux/ldapux_client.conf file.
•
When an account is deleted from LDAP, the audit information for
that account is not removed from the local system. If that account is
re-used, the audit information from the previous account is re-used.
You can choose to manually remove entries from the Trusted Mode
database by removing the appropriate file under the
/tcb/files/auth/... directory, where "..." defines the directory name
based on the first character of the account name.
•
You can use the audisp command to display information about
LDAP-based accounts. However, if an LDAP-based account has never
logged in to the system (via telnet, rlogin, and so on), the audisp -u
command displays the message like “audisp: all
specified users names are invalid."
Password and Account Policies
The primary goal of integrating Trusted Mode policies and those policies
enforced by an LDAP server is coexistence. This means that Trusted
Mode policies are not enforced on LDAP-based accounts, and LDAP
server policies are not enforced on local-based accounts. The password
and account policies and limitations are described as followings:
•
106
Accounts stored and authenticated through the LDAP directory
adhere to the security policies of the directory server being used.
These policies are specific to the brand and version of the directory
server product deloyed. Examples of these policies include password
Chapter 4
Administering LDAP-UX Client Services
Integrating with Trusted Mode
expiration, password syntax checking, and account expiration. No
policies of the HP-UX Trusted Mode product apply to accounts stored
in the LDAP server.
•
When you integrate LDAP-UX on an HP-UX 11i v1 or 11i v2 system
with the Netscape Directory Server, if an LDAP-based user attempts
to login to the system, but provides the incorrect password multiple
times in a row (the default is three times in a row), Trusted Mode
attempts to lock the account. However, the Trusted Mode attributes
do not impact LDAP-based accounts. So, if the user eventually
provides the correct password, he or she can login.
PAM Configuration File
•
If you integrate LDAP-UX Client Services with the Netscape
Directory Server, you must define the pam_ldap library before the
pam_unix library in the /etc/pam.conf file for all services. You must
set the control flag for both pam_ldap and pam_unit libraries to
required under session management. Refer to Appendix C, “Sample
/etc/pam.ldap.trusted file,” on page 191 for the proper configuration.
•
If you integrate LDAP-UX Client Services with the Windows
2000/2003 Active Directory Server, you must define the pam_krb5
library before the pam_unix library in the /etc/pam.conf file for all
services. In addition, the control flag for both pam_krb5 and
pam_unix libraries must be set to required for Session
management. Refer to Appendix F and Appendix G on LDAP-UX
Client Services B.04.00 With Microsoft Windows 2000/2003 Active
Directory Administrator’s Guide for the proper configuration.
Others
Chapter 4
•
The authck -d command removes the /tcb/files/auth/... files
created for LDAP-based accounts. When the LDAP-based account
logs into the system again, a new /tcb/files/auth/... file with
new audit ID is recreated. Therfore, it is not recommended to run the
authck -d command when you configure LDAP-UX with Trusted
Mode.
•
You cannot use the Trusted Mode management subsystem in SAM to
manage LDAP-based accounts.
•
The LDAP repository and /etc/passwd repository must not contain
accounts with the same login name or account number.
107
Administering LDAP-UX Client Services
Integrating with Trusted Mode
•
Except for the audit flag, you cannot modify other Trusted Mode
properties/policies for LDAP-based accounts. For example,
attempting to lock an LDAP-based account by modifying the Trusted
Mode field for that user does not prevent that account from logging in
to the host. Instead, you must disable the account on the LDAP
server itself. No runtime warning will be given that the local locking
of the account has no effect. It is important that all system
administrators are properly trained, so that administrative locks on
accounts have the desired effect.
Configuration Parameter
LDAP-UX Client Services provides one configuration parameter,
initial_ts_auditing, available for you to configure the initial auditing
setting for the LDAP-based account. This parameter is defined in the
/etc/opt/ldapux/ldapux_client.conf file.
108
Chapter 4
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
PAM_AUTHZ Login Authorization
Enhancement
The PAM_AUTHZ service module provides functionality that allows the
administrator to control who can login to the system based on netgroup
information found in the /etc/passwd and /etc/netgroup files.
PAM_AUTHZ has been created to provide access control similar to the
netgroup filtering feature that is performed by NIS.
Starting LDAP-UX Client Services B.04.00, PAM_AUTHZ has been
enhanced to provide administrators a simple security configuration file
to set up a local access policy to better meet their need in the
organization. PAM_AUTHZ uses the access policy to determine which
users are allowed to login to the system. A policy specifies which groups,
ldap groups, users or other access control objects (such as ldap search
filters) are allowed to login to the system. For example, you can allow or
deny access to a host or application based on his or her membership in a
group, or role within a organization. As an example, PAM_KEREBOS
and PAM_AUTHZ can be used together to authenticate and authorize
users in a Windows 2000/2003 environment. PAM_KERBEROS
authenticates the user. PAM_AUTHZ uses ADS groups or other user
information from the policy file, to determine if the user is authorized to
access the system.
Policy And Access Rules
Access rules are the basic elements of access control. Administrators
create access rules that restrict or permit a user’s access permission. A
policy is the collection of these different sets of access rules in a given
order. This consolidated list of rules defines the overall access strategy of
a local client machine. PAM_AUTHZ enables administrators to create an
access policy by defining different types of access rules and to save the
policy in a file.
Chapter 4
109
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
How Login Authorization Works
The system administrator can define the access rules and store them in
the policy file, /etc/opt/ldapux/pam_authz.policy. PAM_AUTHZ
uses these access rules defined in the policy file to control the login
authorization.
Figure 4-1
PAM_AUTHZ Environment
1
pam enabled
application
policy
configuration file
2
5
7
3
pam_authz
ldap-ux
client daemon
ldapclientd
4
6
authentication
modules, for
examples:
pam_kerberos
pam_ldap
/etc/group
LDAP
directory
server
/etc/netgroup
The following describes the policy validation processed by PAM_AUTHZ
for the user login authorization shown in figure 4-1:.
1. The administrator defines a local policy file and saves all the defined
access rules in the policy configuration file,
/etc/opt/ldapux/pam_authz.policy.
110
Chapter 4
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
2. PAM_AUTHZ service module receives an authentication request from
PAM framework. It processes all the access rules stored in the
/etc/opt/ldapux/pam_authz.policy file.
3. If a rule indicates that the required information is stored in a LDAP
server, PAM_AUTHZ constructs a request message and sends to the
LDAP client daemon, ldapclientd. The LDAP client daemon performs
the actual ldap query and returns the result to PAM_AUTHZ. Then the
access rule is evaluated and the final access right is returned.
4. If a rule indicates that the required information is in the UNIX files.
PAM_AUTHZ retrieves user’s information from /etc/passwd,
/etc/group or /etc/netgroup file through getpwname() or
getgrname() system calls. Then the rule is evaluated and the final
access right is returned.
5. PAM_AUTHZ returns the corresponding pam result to PAM
framework. The decision is returned to the application which called the
PAM API.
6. If the user has the permission to login. then the decision is returned to
the next PAM service module that is configured in pam.conf file, such as
pam_ldap or pam_kerberos. If the user has no access right, then login is
denied.
7. The PAM service module returns the authentication result to the
application which called the PAM API.
Policy File
The system administrator can define a local access policy and store all
defined access rules in the policy file,
/etc/opt/ldapux/pam_authz.policy. The PAM_AUTHZ service
module uses this local policy file to process the access rules and to control
the login authorization.
LDAP-UX Client Services provides a sample configuration file,
/etc/opt/ldapux/pam_authz.policy.template. This sample file
shows you how to configure the policy file to work with PAM_AUTHZ.
You can copy this sample file and edit it using the correct syntax to
specify the access rules you wish to authorize or exclude from
authorization. For detailed information on how to construct an access
rule in the policy file, see “Constructing an Access Rule in
pam_authz.policy” on page 112.
Chapter 4
111
Administering LDAP-UX Client Services
PAM_AUTHZ Login Authorization Enhancement
Constructing an Access Rule in pam_authz.policy
In the policy file, /etc/opt/ldapux/pam_authz.policy, an access rule
consists of three fields as follows:
::
All fields are mandatory. If any field is missing or contains the incorrect
syntax, the access rule is considered to be invalid and is ignored by
PAM_AUTHZ.
These fields have the following limitations:
•
No leading or trailing empty space is allowed in a field
•
Fields are separated by a separator, :
•
No leading or trailing empty space is allowed in a separator
•
An access rule is terminated by a carriage return
Fields in an Access Rule
Table 4-1 shows a summary on all possible values and syntax of an
access rule:
Table 4-1
Field Syntax in an Access Rule
deny,
allow
unix_user
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.2 Linearized : No Page Count : 214 Page Mode : UseOutlines Create Date : 2007:04:04 15:17:03 Producer : Acrobat Distiller Command 3.01 for HP-UX A.09.01 and later (HPPA) Keywords : FontEmbed, Prologue, V1.0EXIF Metadata provided by EXIF.tools