Configure HPUX 11.11 to authenticate against OpenLDAP
From Notes
Contents |
On the OpenLDAP Directory Server
LDAP-UX does not support updating an OpenLDAP directory, so to get this to work, add the following profile to the LDAP directory (requires the DUAConfig.schema and possibly ldap-printer.schema):
dn: cn=uxprofile,ou=Profiles,dc=example,dc=com cn: uxprofile objectClass: DUAConfigProfile defaultSearchBase: dc=example,dc=com defaultSearchScope: one profileTTL: 3600 serviceSearchDescriptor: passwd:OU=People,DC=example,DC=com serviceSearchDescriptor: group:OU=Group,DC=example,DC=com authenticationMethod: tls:simple defaultServerList: <space separated list of LDAP server hosts:ports>
On the HP-UX Host
- Install the LDAP-UX Package.
Create a key-store:
/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
Import the CA cert:
/opt/ldapux/contrib/bin/certutil -A -n ca-cert -t "C,," -d /etc/opt/ldapux -a -i cacert.crt
Configure LDAP-UX:
- Run
/opt/ldapux/config/setup
...specify TLS and use port 389.
NOTE: do NOT attempt to extend any schemas -- OpenLDAP does not support this.
Take advantage of automount:
- Setup user's home directories to automount
- Enable AutoFS by editing /etc/rc.config.d/nfsconf and verify the following settings:
NFS_CLIENT=1 AUTOMOUNT=1 AUTOFS=1
- Edit /etc/auto_master
- Add the following line:
/users/home /etc/auto_home -nosuid,intr,soft,rsize=32768,wsize=32768
- Edit /etc/auto_home
- Add the following line:
* <nfs server>:/home/&
- Restart automount
/sbin/init.d/nfs.client stop /sbin/init.d/nfs.client start automount
Install sudo
Prerequisites: install ANSI C/C++ Compiler from HP Software CDs.
1. Obtain the install package.
2. Build with support for pam and ldap.
export CFLAGS="-D__10_10_compat_code" export LDFLAGS="-L/opt/ldapux/lib" ./configure --with-ldap=/opt/ldapux/ --with-pam
Command Line LDAP Search
ldapsearch -b "dc=example,dc=com" -h ldap.example.com -p 636 -P /etc/opt/ldapux -Z uid=<uid>
