HPE Community
Operating System - HP-UX
1753268 Members
5053 Online
108792 Solutions
New Discussion юеВ

Re: LDAP Client configuration - pcred file

 
Stefano_36
Frequent Advisor

тАО09-18-2006 08:06 PM

тАО09-18-2006 08:06 PM

LDAP Client configuration - pcred file

Hi to all,
I want to automatize the LDAP Client installation procedure. Can I use the same /etc/opt/ldapux/pcred file to copy it on each ldap client I want configure or must I re-generate it any time ?

Thanks
0 Kudos
Reply
2 REPLIES 2
Peter Godron
Honored Contributor

тАО09-18-2006 09:14 PM

тАО09-18-2006 09:14 PM

Re: LDAP Client configuration - pcred file

Stefano,
Step 8, Point 2 of this document:
http://docs.hp.com/en/J4269-90049/ch02s07.html
"Copy the following files from a configured client to the client being configured:

/etc/opt/ldapux/ldapux_client.conf

/etc/opt/ldapux/pcred only if you have configured a proxy user, not if you are using only anonymous access

/etc/pam.conf

/etc/nsswitch.conf

cert7.db or cert8.bd and key3.db flles if SSL is enabled"
0 Kudos
Reply
Don Mallory
Trusted Contributor

тАО09-20-2006 01:46 AM

тАО09-20-2006 01:46 AM

Re: LDAP Client configuration - pcred file

Technically, yes you can. I automated our install and it worked pretty well, however I found that it was more stable if I ran it myself. When just copying the file, on a couple of occasions, the file copied properly, was the same file, chksums were the same, etc, but no go.

My script now passes the password at time of installation. This just ensures that you don't start with a corrupt file. It does however require that you enter the password for the proxy user correctly. Since the password can't be changed or expired in the domain, I used a 63 character strong password.

One limitation is that HP-UX and Windows and their respective command lines have different limitations for which special characters are allowed.

You end up getting limited down to: !-=_+,.;:

Here's the section of my script:


# Get the LDAP Proxy User Password

EXITFLAG=0
LPROXPW=""

while [ "$EXITFLAG" -ne "1" ]
do
echo "\n\nEnter the LDAP Proxy User account password: \c"
read LPROXPW

if `echo $LPROXPW | grep ^$ > /dev/null`
then
:
else
EXITFLAG=1
fi
done


echo "Downloading the LDAP-UX Profile from the AD."

/opt/ldapux/config/get_profile_entry -s nss -D "CN=LDAP Proxy User,CN=Users,DC=mydomain,DC=ca" -w $LPROXPW

/opt/ldapux/config/ldap_proxy_config -v
/sbin/init.d/ldapclientd.rc start


Oh, one other thing. After bugging HP support for what type of encryption is used on this file, I had an answer of "it's secure and we aren't going to tell you", which translates to proprietary and therefore weak. If they were using a stong encryption method such as 3DES, AES-256 or other strong one-way encryption algorithm the would be willing to let you know what it was.

I've also found that the file size doesn't change no matter what the length of the password or proxy user account is.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.