21.3 Step-by-Step Guide to LDAP-UX Client Services

The purpose of this step-by-step guide is to get LDAP and the LDAP-UX Integration software up and running in a minimal configuration. The resulting configuration will, we hope, allow users to log in to our server, as normal, with their login details stored in a directory. We will also configure additional servers to utilize the directory. In effect, we could say that we are emulating an NIS-type environment, but we are using LDAP instead of NIS. The installation steps were undertaken with DNS configured using our domain name of maabof.com . This will become evident in some of the questions/responses from the various software components . Let's get started.

21.3.1 Install Netscape Directory Services and LDAP-UX Integrations products

We need to install Netscape Directory Service 4.X. This software comes free of charge with HP-UX 11i Operating Environments but is not installed by default. Once installed using swinstall , there is a setup program we need to run in order to configure the basic features of our LDAP directory:

 root@hpeos003[]  swlist -l product NscapeDir40Srv  # Initializing... # Contacting target "hpeos003"... # # Target:  hpeos003:/ #   NscapeDir40Srv                B.04.16        The Netscape Directory Server v4. root@hpeos003[] 

The LDAP-UX Integration products require a reboot in order to install them. We use these products a little later.

 root@hpeos003[]  swlist -l product J4269AA  # Initializing... # Contacting target "hpeos003"... # # Target:  hpeos003:/ # # J4269AA                       B.03.10        LDAP-UX Integration   J4269AA.NisLdapServer         B.03.10        The NIS/LDAP Gateway (ypldapd)   J4269AA.LdapUxClient          B.03.10        LDAP-UX Client Services root@hpeos003[] 

21.3.2 Run Netscape setup program

The first part of this process is to run the Netscape setup program. This will ask us a series of questions. Most of the default values are fine. I won't list every detail of every screen, but just the questions and my responses:

 root@hpeos003[]  /var/opt/netscape/server4/setup/setup  Netscape Communications Corporation                Netscape Server Family Installation/Uninstallation ----------------------------------------------------------------------------- Welcome to the Netscape Server Family installation program This program will install Netscape Server products and the Netscape Console on your computer. It is recommended that you have "root" privilege to install the software. During the installation:   - Press "Return" to choose the default and go to the next screen   - Type "Control-B" to go back to the previous screen   - Type "Control-C" to cancel the installation program   - Enter comma-separated list of numbers, e.g., 1, 2, 3, for selection     of multiple items. Would you like to continue with setup? [Yes]: Do you agree to the license terms? [No]: YES Choose your installation type [2]: Machine's name [hpeos003.hq.maabof.com]: System User [www]: System Group [other]: Do you want to register this software with an existing Netscape configuration directory server? [No]: Do you want to use another directory to store your data? [No]: Directory server network port [389]: Directory server identifier [hpeos003]: Netscape configuration directory server administrator ID [admin]: Password: <password> Password (again): <password> The suffix is the root of your directory tree.  You may have more than one suffix. Suffix [o=maabof.com]: Directory Manager DN [cn=Directory Manager]: Password: <password> Password (again): <password> Administration Domain [maabof.com]: Administration port [23929]: Run Administration Server as [root]: [slapd-hpeos003]: starting up server ... [slapd-hpeos003]: [28/Nov/2003:11:30:20 +0000] - Netscape-Directory/4.16 B01.301.1944 starting up [slapd-hpeos003]: [28/Nov/2003:11:30:29 +0000] - listening on all interfaces port 389 for LDAP requests [slapd-hpeos003]: [28/Nov/2003:11:30:29 +0000] - slapd started. Your new directory server has been started. Created new Directory Server Start Slapd  Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuring Administration Server... Your parameters are now entered into the Administration Server database, and the Administration Server will be started. Changing ownership to admin user root... Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... Netscape-Administrator/4.2 B2001.300.0756 startup: listening to http://hpeos003, port 26964 as root warning: daemon is running as super-user Info: Cache expiration set to 600 seconds Info: Cache expiration set to 600 seconds Press any key to continue... Go to /var/opt/netscape/server4 and type startconsole to begin managing your servers. root@hpeos003[] 

21.3.3 Ensure that the SHLIB_PATH environment variable is set up

The SHLIB_PATH environment variable is commonly not set up for the root user. It must be set up with the contents of the /etc/SHLIB_PATH file in order for LDAP commands work properly:

 root@hpeos003[]  ldapsearch -b 'o=maabof.com' 'objectclass=*'  /usr/lib/dld.sl: Can't find path for shared library: libnspr3.sl /usr/lib/dld.sl: No such file or directory Abort(coredump) root@hpeos003[] root@hpeos003[]  export SHLIB_PATH=$(cat /etc/SHLIB_PATH)  root@hpeos003[] root@hpeos003[]  ldapsearch -b 'o=maabof.com' 'objectclass=*'  more  dn: o=maabof.com objectclass: top objectclass: organization o: maabof.com aci: (targetattr = "*")(version 3.0; acl "Allow self entry modification"; allow (write)userdn = "ldap:///self";) aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";) aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow ... root@hpeos003[] 

21.3.4 Decide where in our Directory we will store our name service data

This location is where clients will access information such as usernames and passwords. The base DN may be the organizational unit that is the top of our tree, i.e., ou=maabof.com . Sometimes, it makes sense to create a separate organizational unit to store this information. I followed the guidelines in the documentation and called my organizational unit unix . To create this, we can either use the Netscape Directory Service interface ( /var/opt/netscape/server4/startconsole ) or the command ldapmodify . I prefer to use the lpmodify command. I find the easiest way to apply changes to the Directory is to create a file containing the appropriate attributes and then pass the filename to the command. We need to recall the common name and password for the directory administrator that the setup program asked us about; the default is cn=directory manager . Here I am updating by adding the organizational unit unix to my Directory.

 root@hpeos003[]  cat /tmp/ldap.unix  dn: ou=unix,o=maabof.com ou: unix objectClass: top objectClass: organizationalUnit root@hpeos003[] root@hpeos003[]  ldapmodify -a -D 'cn=directory manager' -w <password> -f /tmp/ldap.unix  adding new entry ou=unix,o=maabof.com root@hpeos003[] 

21.3.5 Decide where you will store client profiles

The profile contains directory access information. It specifies how and where clients can find user and group data in the directory. You can put the profile anywhere you want as long as the client systems can read it. For example, you might put it near your user data, or in a separate administrative area. You should put the profile in the same directory as your user and group data to simplify access permissions. Clients must have access to both the profile and the user and group data. I am going to create a separate directory under the unix directory to store my profiles. I call it profiles and use the ldapmodify command again.

 root@hpeos003[]  cat /tmp/ldap.profile  dn: ou=profiles,ou=unix,o=maabof.com ou: profiles objectClass: top objectClass: organizationalUnit root@hpeos003[] root@hpeos003[]  ldapmodify -a -D 'cn=directory manager' -w <password> -f /tmp/ldap.profile  adding new entry ou=profiles,ou=unix,o=maabof.com root@hpeos003[] 

We could have combined both this and the previous actions into one file to pass to ldapmodify .

21.3.6 Restrict write access to user attributes

Netscape uses access control identifiers (ACI) to control access to entries in the directory. A top-level ACI allows users to change any of their password- related attributes.

 root@hpeos003[]  ldapsearch  -b 'o=maabof.com' 'objectclass=*' more  dn: o=maabof.com objectclass: top objectclass: organization o: maabof.com  aci: (targetattr = "*")(version 3.0; acl "Allow self entry modification"; allow  (write)userdn = "ldap:///self";)  ... root@hpeos003[] 

I am going to modify this restrict access to important user-related attributes including uid , gid , and home directory . I could do this at the top-level or at the unix level down. In this example, I will set it at the unix directory level:

 root@hpeos003[]  cat /tmp/ldap.user.aci  dn: ou=unix,o=maabof.com changetype: modify replace:        aci aci: (targetattr != "uidnumber  gidnumber  homedirectory  uid") (version 3.0; acl "Allow self entry modification, except for important posix attributes"; allow (write)userdn = "ldap:///self";) root@hpeos003[] root@hpeos003[]  ldapmodify -D "cn=directory manager" -w <password> -f /tmp/   ldap.user.aci  modifying entry ou=unix,o=maabof.com root@hpeos003[] 

There are other ACI that we may want to change; we do that in a minute.

21.3.7 Allow users to read all attributes of the POSIX schema

There are various ways you can do this. The schema is described in the file /opt/ldapux/ypldapd/etc/slapd-v3.ni.conf . From that, you could extract all of the objectclass es and allow read access based on the classes you wanted users to read. Here's an example file where I am allowing read access only for the posixGroup objects, i.e., groups listed in /etc/group .

 root@hpeos003[]  cat /tmp/ldap.posix  dn: ou=unix,o=maabof.com changetype: modify add:    aci aci: (targetattr="*")(targetfilter = "(objectclass=posixGroup)") (version 3.0; acl "Global read permission for POSIX group"; allow (compare,read,search) userdn = "ldap:///anyone";) root@hpeos003[] 

I could add further entries for specific attributes and use ldapmodify to apply the changes. By default, everyone has read access to the directory anyway, so the restrictions I set up at the beginning of this exercise should suffice for most situations. The only change could be to restrict write access to the posixGroup entries such than only directory administrators can modify them:

 root@hpeos003[]  cat /tmp/ldap.group.aci  dn: ou=unix,o=maabof.com changetype: modify add:        aci aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, o=maabof.com");) root@hpeos003[]  ldapmodify -a -D 'cn=directory manager' -w <password> -f /tmp/   ldap.group.aci  modifying entry ou=unix,o=maabof.com root@hpeos003[] 

21.3.8 Configure a proxy user to read name service data (optional)

If we don't create a proxy user, we need to configure our name service data to be read anonymously (this will be part of the data migration process in a minute). I do this via the Directory Services console /var/opt/netscape/server4/startconsole : we will be asked for the Directory Services administrator password (the admin user created during the setup program) (Figure 21-2):

Figure 21-2. Netscape Director Services console.

You need to take the following steps here:

• Click on the " User and Groups " tab.
  
  
• Bind to the directory using the directory manager DN. I click the " Directory " button to bring up a " Change Directory " dialog box.
  
  
• Change the " Bind DN " to say cn=directory manager .
  
  
• Change the " Bind Password " to be the password for the directory manager.
  
  
• Click OK.
  
  
• Back at the Console window, click " Create "
  
  
• Click " Special Users ". Click OK.
  
  
• Enter the following information:
  
  

  - First name = Proxy

  - Last Name = User

  - User ID = proxyuser

  - Password/Confirm password = <your choice>

• Click OK.
  
  

You can now shut down the Console if you want.

21.3.9 Allow read access for the proxy user to user attributes

We need to allow the proxy user (if configured) to be able to read user attributes, except the user password attribute. I do this with ldapmodify :

 root@hpeos003[]  cat /tmp/ldap.proxy-read.aci  dn: ou=unix,o=maabof.com changetype: modify add:        aci aci: (target="ldap:///ou=unix,o=maabof.com")(targetattr!="userpassword") (version 3.0; acl "Proxy userpassword read rights"; allow (compare,read,search) userdn = "ldap:///uid=proxyuser,ou=Special Users,o=maabof.com";) root@hpeos003[] root@hpeos003[]  ldapmodify -a -D 'cn=directory manager' -w <password> -f /tmp/   ldap.proxy-read.aci  modifying entry ou=unix,o=maabof.com root@hpeos003[] 

21.3.10 Customize /etc/passwd, /etc/group, etc

We are just about to migrate our user information into the directory. We might want to customize files like /etc/passwd , /etc/group , and so on. It's probably a good idea to remove user entries like root and system users. We will still maintain these users in our /etc/passwd file, and we don't want anyone to be able to see any information relating to the root user.

21.3.11 Import name service data into the directory

I am not using NIS, just simple /etc/passwd , /etc/group , and so on. With the LDAP-UX Client Services product, there is a utility that will migrate all of my user information into the directory with one command. The command is migrate_all_online.sh :

 root@hpeos003[]  cd /opt/ldapux/migrate  root@hpeos003[migrate]  ./migrate_all_online.sh  Enter the X.500 naming context you wish to import into: []  ou=unix,o=maabof.com  Enter the name of your LDAP server [ldap]:  hpeos003.hq.maabof.com  Enter the manager DN: [cn=manager,ou=unix,o=maabof.com]:  cn=directory manager  Enter the credentials to bind with:  <directory manager password>  Importing into ou=unix,o=maabof.com... Creating naming context entries... Migrating aliases... Migrating groups... Migrating hosts... Migrating networks... Migrating users... Migrating protocols... Migrating rpcs... Migrating services... Migrating netgroups... Migrating netgroups (by user)... Migrating netgroups (by host)... Your data has been migrated to the following ldif file: /tmp/nis.2939.ldif Do you wish to import that file into your directory now (y/n):  y  ... adding new entry cn=hpeos002.maabof.com.*,nisMapName=netgroup. byhost,ou=unix,o=maabof.com adding new entry cn=hpeos001.hq.maabof.com.*,nisMapName=netgroup. byhost,ou=unix,o=maabof.com /opt/ldapux/bin/ldapmodify -a -c: succeeded root@hpeos003[migrate] 

I should now be able to see user entries in the directory as the proxyuser :

 root@hpeos003[]  ldapsearch -D 'uid=proxyuser,ou=special users,o=maabof.com' -w   <password> -b 'o=maabof.com' uid=barney  dn: uid=barney,ou=People,ou=unix,o=maabof.com uid: barney cn: barney objectclass: top objectclass: account objectclass: posixAccount loginshell: /sbin/sh uidnumber: 110 gidnumber: 107 homedirectory: /home/barney root@hpeos003[] 

Notice that we can't see the userpassword . I will just check that barney can see his entry as well.

 root@hpeos003[]  ldapsearch -D 'uid=barney,ou=People,ou=unix,o=maabof.com' -w   <barney password> -b 'o=maabof.com' uid=barney  dn: uid=barney,ou=People,ou=unix,o=maabof.com uid: barney cn: barney objectclass: top objectclass: account objectclass: posixAccount loginshell: /sbin/sh uidnumber: 110 gidnumber: 107 homedirectory: /home/barney root@hpeos003[] 

Everything looks okay so far!

21.3.12 Configure the LDAP-UX Client Services software to enable it to locate the Directory

This is achieved by the /opt/ldapux/config/setup command. There are a number of questions to answer. Again, I list simply the questions and my responses:

 root@hpeos003[]  cd /opt/ldapux/config  root@hpeos003[config]  ./setup  screen 1                             Hewlett-Packard Company                      LDAP-UX Client Services Setup Program ----------------------------------------------------------------------------- Welcome to the LDAP-UX Client Services Setup Program! You must have "root" privilege to run this Setup Program. If this is the first client you are setting up, this program will:  - Extend your directory schema with the LDAP-UX configuration profile schema.  - Create a new LDAP-UX configuration profile entry in your directory.  - Configure the local client system to use the directory. If your directory already has one or more LDAP-UX configuration profile entries, this program will:  - Optionally create another new LDAP-UX configuration profile entry in your    directory and configure the local client system to use the directory;  - or configure your client system with an existing profile entry. During the configuration:   - Press "Return" to choose the default and go to the next screen   - Type "Control-B" to go back to the previous screen   - Type "Control-C" to cancel the setup program Would you like to continue with the setup? [Yes]: To accept the default shown in brackets, press the Return key. Directory Server: [1]: Directory server host [hpeos003.hq.maabof.com = 192.168.0.33]: Directory Server port number [389]: Would you like to extend the schema in this directory server? [Yes]: User DN [cn=Directory Manager]: Password:  <password>  Profile Entry DN: []:  cn=defaultLDAPprofile,ou=profiles,ou=unix,o=maabof.com  User DN []:  cn=directory manager  Password:  <password>  Default search host 1: [hpeos003:389 = 192.168.0.33:389] Default search host 2: [ ] Default search host 3: [ ] Enter 0 to accept these hosts and continue with the setup program or Enter the number of the hosts you want to specify [0]: Default base DN [ou=profiles,  ou=unix  ,  o=maabof.com  ]: ou=unix,o=maabof.com Accept remaining defaults? (y/n) [y]:  n  Authentication method: [1]: Select the type of client binding you want.    1. Anonymous    2. Proxy    3. Proxy; if proxy fails, then use anonymous To accept the default shown in brackets, press the Return key. Client binding: [1]:  3  Proxy User DN:  uid=proxyuser,ou=special users,o=maabof.com  Password:  <password>  Bind time limit [5 seconds]: Search time limit [no limit]: Do you want client searches of the directory to follow referrals? [Yes]: Profile TTL [0 = infinite]: Do you want to remap any of the standard RFC 2307 attribute? [No]: Do you want to create custom search descriptors? [No]: Are you ready to create the Profile Entry? [Yes]: Updated directory server at 192.168.0.33:389 with a profile entry at    [cn=defaultLDAPprofile,ou=profiles,ou=unix,o=maabof.com] Updated the local client configuration file   /etc/opt/ldapux/ldapux_client.conf Updated the local client profile entry LDIF file   /etc/opt/ldapux/ldapux_profile.ldif Updated the local client profile entry cache file   /etc/opt/ldapux/ldapux_profile.bin Would you like to start/restart the LDAP-UX daemon (y/n)? [y]: Updated the LDAP-UX daemon configuration file   /etc/opt/ldapux/ldapclientd.conf Restarted the LDAP-UX daemon! To enable the LDAP Pluggable Authentication Module, save a copy of the file /etc/pam.conf then add ldap to it. See /etc/pam.ldap for an example. To enable the LDAP Name Service Switch, save a copy of the file /etc/nsswitch.conf then add ldap to it. See /etc/nsswitch.ldap for an example. LDAP-UX Client Services setup complete. root@hpeos003[config] 

21.3.13 Configure /etc/pam.conf to use LDAP

We need to ensure that the login process references the LDAP directory whenever a user logs in and his entry is not listed in the /etc/passwd file. As you can see, the /etc/pam.ldap file is usually okay for most situations.

 root@hpeos003[]  cp /etc/pam.conf /etc/pam.org  root@hpeos003[]  cp /etc/pam.ldap /etc/pam.conf  root@hpeos003[] 

21.3.14 Configure/etc/nsswitch.conf

As well as /etc/pam.conf , we need to ensure that any utilities referencing user-level information can locate the proper source for data. The file to tell them the next source is / etc/nsswitch.conf . An example file /etc/nsswitch.ldap can be used as a template. You should customize /etc/nsswitch.conf to include LDAP as well as any other switch configuration you have in place, e.g., for hosts and ipnodes (Ipv6).

 root@hpeos003[]  cat /etc/nsswitch.conf  # # /etc/nsswitch.ldap: # # An example file that could be copied over to /etc/nsswitch.conf. It # uses LDAP (Lightweight Directory Access Protocol) in conjunction with # dns & files. # passwd:       files ldap group:        files ldap hosts:        files [NOTFOUND=continue] dns [NOTFOUND=continue] ldap networks:     files ldap protocols:    files ldap rpc:          files ldap publickey:    files netgroup:     files ldap automount:    files aliases:      files services:     files ldap root@hpeos003[] 

21.3.15 Test user functionality

We need to ensure that basic user functionality has not been affected. Users must still be able to log in and perform all tasks they would normally do. We can test this functionality beforehand using commands like nsquery :

 root@hpeos003[]  nsquery passwd barney ldap  Using "ldap" for the passwd policy. Searching ldap for barney User name: barney User Id: 110 Group Id: 107 Gecos: Home Directory: /home/barney Shell: /sbin/sh Switch configuration: Terminates Search root@hpeos003[] root@hpeos003[]  nsquery hosts hpeos003 ldap  Using "ldap" for the hosts policy. Searching ldap for hpeos003 Hostname: hpeos003 Aliases: hp003_lan0 hpeos003.hq.maabof.com Address: 192.168.0.33 Switch configuration: Terminates Search root@hpeos003[] 

There is a contributed utility called beq , that comes as part of the LDAP-UX Integration software that allows you to query the directory server as if it were a UNIX utility making a query on usernames, password, network services, and so on. It can be useful for debugging problems. Here's an example of performing a query for the telnet service:

 root@hpeos003[]  cd /opt/ldapux/contrib/bin  root@hpeos003[bin]  ./beq -k n -s srv -l /usr/lib/libnss_ldap.1 telnet tcp  nss_status .............. NSS_SUCCESS s_name...........(telnet) s_proto..........(tcp) s_port...........(23) s_aliases    NONE root@hpeos003[bin] 

Or a username from the password ( pwd ) service:

 root@hpeos003[bin]  ./beq -k n -s pwd -l /usr/lib/libnss_ldap.1 fred  nss_status .............. NSS_SUCCESS pw_name...........(fred) pw_passwd.........(*) pw_uid............(109) pw_gid............(20) pw_age............() pw_comment........() pw_gecos..........() pw_dir............(/home/fred) pw_shell..........(/sbin/sh) pw_audid..........(0) pw_audflg.........(0) root@hpeos003[bin] 

Ultimately, the test we really need to perform is to remove all our non-system entries from the /etc/passwd and /etc/group files and ensure that users can still log in. Here is my /etc/passwd file:

 root@hpeos003[]  cat /etc/passwd  root:qSilPI22TtKuw:0:3::/.root:/sbin/sh daemon:*:1:5::/:/sbin/sh bin:*:2:2::/usr/bin:/sbin/sh sys:*:3:3::/: adm:*:4:4::/var/adm:/sbin/sh uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico lp:*:9:7::/var/spool/lp:/sbin/sh nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico hpdb:*:27:1:ALLBASE:/:/sbin/sh oracle::102:102:Oracle:/home/oracle:/usr/bin/sh www:*:30:1::/: webadmin:*:40:1::/usr/obam/server/nologindir:/usr/bin/false smbnull:*:101:101:DO NOT USE OR DELETE - needed by Samba:/home/smbnull:/sbin/sh sshd:*:106:104:sshd privsep:/var/empty:/bin/false ids:*:107:105:HP-UX Host IDS Administrator:/home/ids:/sbin/sh mysql:*:104:106::/home/mysql:/sbin/sh root@hpeos003[] 

I need to ensure that users can still log in. I suppose I need to try it out!

 root@hpeos003[]  login  login:  barney  Password:  <password>  Please wait...checking for disk quotas (c)Copyright 1983-2000 Hewlett-Packard Co., All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993 The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). You have mail. $  pwd  /home/barney $  id  uid=110(barney) gid=107(admin) $ $  pwget -n barney  barney:*:110:107::/home/barney:/sbin/sh $ 

It looks as if barney is able to function as normal. You probably noticed that his password is represented by an asterisk. The default behavior of the POSIX schema is to represent passwords as an asterisk (a null, effectively) when some form of valid entry is required by a UNIX command. If we remember back to when we were setting up access controls on the directory, we disallowed read access to the userpassword attribute. This is still in force; it's just that pwget (and commands like it) needs to produce valid output.

21.3.16 Add another client

To add another client into this network, I would perform the following steps:

• Install LDAP-UX Integration software.
  
  
  
  

   root@hpeos004[]  swlist -l bundle J4269AA  # Initializing... # Contacting target "hpeos004"... # # Target:  hpeos004:/ #   J4269AA       B.03.10        LDAP-UX Integration root@hpeos004[] 

  
  
• Copy the following files from the current directory server:
  
  

  - /etc/opt/ldapux/ldapux_client.conf

  - /etc/opt/ldapus/pcred (as I am using a proxyuser)

  - /etc/pam.conf

  - /etc/nsswitch.conf

• Start the LDA-UX client daemon.
  
  
  
  

   root@hpeos004[]  /sbin/init.d/ldapclientd.rc start  ldapclientd started with <0> root@hpeos004[] 

  
  
• Download the profile from the server by using the following command:
  
  
  
  

   root@hpeos004[]  cd /opt/ldapux/config  root@hpeos004[config]  ./get_profile_entry -s nss  

  
  
• Check that the proxy user configuration is valid, viewed from this machine:
  
  
  
  

   root@hpeos004[config]  ./ldap_proxy_config -p  PROXY DN:  uid=proxyuser,ou=Special Users,o=maabof.com  root@hpeos004[config]  ./ldap_proxy_config -v  File Credentials verified - valid SCS Credentials verified - valid File copy & SCS copy are synchronized root@hpeos004[config] 

  
  
• Test user functionality. I suppose if this is all working as we would expect, barney should now be visible as a user even though he hasn't been configured on this server:
  
  
  
  

   root@hpeos004[config]  grep barney /etc/passwd  root@hpeos004[config]  pwget -n barney  barney:*:110:107::/home/barney:/sbin/sh root@hpeos004[config] 

  
  

In order for barney to login, all we would need to ensure is that his home directory was available.