- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Problem setting up LDAP-UX with AD
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2009 01:29 PM
тАО10-27-2009 01:29 PM
The AD schema already has the RFC2307 support, and I already have 110 RHEL Linux boxes authenticating against AD using pam_krb5 and nss_ldap.
On a test system running 11.23, I've installed the following packages using swinstall:
J4269AA_B.04.20_HP-UX_B.11.23_IA_PA.depot
KRB5CLIENT_D.1.6.2.04_HP-UX_B.11.23_IA_PA.depot
PAMKerberos_C.01.26_HP-UX_B.11.23_IA_PA.depot
The PHSS_39765 KRB5-Client patch is also installed.
Kerberos works fine, I can kinit and so forth against the AD servers. However, LDAP-UX bombs out early in the install.
Here's what happens. I run /opt/ldapux/config/setup, select 2 for AD, put in the hostname of the root AD server that is the schema master. I then have the AD admin put in his credentials to bind to it. That succeeds. It then asks if I want to extend the schema.
When we put in the admin's DN and password, the setup program bombs out and displays the following error:
PFMERR 43: Can't extend LDAP-UX Configuration profile schema on the Directory Server
We've confirmed that the admin account has schema privileges and we're connecting to the server that's the schema master. To rule out a Win2008 issue we moved the master to a Win2003 box and had the same issue.
I've read Eric Roseme's excellent Unified Login guide and I can't figure out what's wrong. Looking at the guide we are failing after the last step on page 23.
Any help would be appreciated. I'm under a lot of time pressure to get this completed. I can look at building PADL's nss_ldap, but I'd really rather not as the LDAP-UX software looks very well supported.
Thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2009 01:45 PM
тАО10-27-2009 01:45 PM
Re: Problem setting up LDAP-UX with AD
For HP-UX to work those Windows 2003 boxes either need to be patched or R2.
If they are not patched, they will not work.
Sorry.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-27-2009 01:53 PM
тАО10-27-2009 01:53 PM
Re: Problem setting up LDAP-UX with AD
Also, as I said in my post, the schema master was a Win2008 server. It failed on that host, too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-28-2009 08:34 AM
тАО10-28-2009 08:34 AM
Re: Problem setting up LDAP-UX with AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2009 10:33 AM
тАО10-30-2009 10:33 AM
Re: Problem setting up LDAP-UX with AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2009 01:07 PM
тАО10-30-2009 01:07 PM
Re: Problem setting up LDAP-UX with AD
LDAP-UX has some strange behavior with how it handles DNs. On the initial bind step where it checks to see if the schema has been extended already, if I put in the following DN it fails, saying "ldap_simple_bind: Invalid credentials":
CN=Bar\, Foo,OU=Domain Managers,OU=Domain Management,DC=hrblock,DC=net
If I wrap that DN in double quotes ("), it succeeds. However on the next step (extending the schema, apparently), if I put in the same DN in double quotes I get the above mentioned PFMERR43 error.
Here is what bothers me about this - why doesn't LDAP-UX properly handle unusual DNs? It should be quoting whatever you put in before passing it to ldapmodify already. The fact that I have to double quote the DN in the setup utility makes me wonder how LDAP-UX is handling passed variables.
There is further weirdness. We created a copy of the admin's account and put it in the Users folder. The reason was so that we could have a DN that didn't require escaping. It was named:
CN=Test01,CN=Users,DC=hrblock,DC=net
This account is able to bind and do queries with ldapsearch, but fails every time with the /opt/ldapux/config/setup command. I get the "ldap_simple_bind: Invalid credentials" error every time, and the AD server shows errors in authentication. Anyone have any suggestions?
I'm also looking to see if I can find the exact schema changes that LDAP-UX wants to do, in an LDIF, and just have the Windows guys install the schema on their side.
If I do that, will I be able to bypass the schema extension step?
Thanks for any help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2009 01:20 PM
тАО10-30-2009 01:20 PM
Re: Problem setting up LDAP-UX with AD
I'm not sure I can explain the issue with troubles binding after creating a new user.
In regards to an alterative way to bind, with ADS, its sometimes possible to use the uid@domain notation to specify the bind ID instead of a DN. So instead of "cn=administrator,cn=users,dc=my,dc=org", you can simply say "administrator@my.org". See if that syntax works for for you.
In regards to LDIF for direct import, allow me to research to see what might have already been created. If I can't find anything, I'll craft one up. It's defined by RFC 4876.
We'll also test to try to reproduce the non-plain DN issue.
Thanks,
Bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-30-2009 03:02 PM
тАО10-30-2009 03:02 PM
SolutionHere's the promised schema LDIF file. I don't have an ADS server available today for me to test this, so buyer beware. Anyway, you should be able to install this with ldapmodify to the schema master. But, be sure to replace "[DOMAIN_DN]" with the actual domain base DN for your environment.
See the attached file.
BTW, yes we do try our best to provide good support for LDAP-UX. So feel free to contact your HP support representative, to start tracking this issue.
Bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-02-2009 01:28 PM
тАО11-02-2009 01:28 PM
Re: Problem setting up LDAP-UX with AD
If it helps, here's how the servers are laid out. Let's call our base domain example.com. Within this forest there are two domains foo.example.com and bar.example.com. Foo is the core network and bar is the DMZ network. Both domains have users, and I need to have systems in both domains authenticate. Neither domain trusts the other.
For Linux, I have separate configs for the two domains (though not much is different other than the domain names and where the access groups are located). For HP-UX, I'm planning on doing the same, setting up the config in both domains separately.
What we've been trying to do is extend the schema on the base controllers dc1.example.com and dc2.example.com. We'd then set up a profile in foo.example.com and bar.example.com.
Anyhow, we've had no luck getting the schema to extend on those two servers. One is Win2003 (not R2, but using the RFC2307 compliant schema), the other is Win2008R2. We'll try to extend the schema from the Windows side using this LDIF, assuming that there's not a better way to do it from LDAP-UX - or if somehow I'm doing something wrong, which is very possible.
Please keep in mind that my expertise is with Linux, IRIX, and Solaris. I don't have a lot of HP-UX experience so please let me know if there's something I might be missing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-11-2009 03:11 PM
тАО11-11-2009 03:11 PM
Re: Problem setting up LDAP-UX with AD
However, to be honest it's much easier for us to just use a ldapux_profile.ldif that's pushed out to the servers and then create the .bin manually. I'm not sure if it's in the documentation anywhere (I didn't see it), but if it isn't I'd highly recommend adding a chapter on doing this method and bypassing the AD schema extension. It's much easier for us to do it this way.
Thanks for all your help, so far everything seems to be working well with SIMPLE auth on 11.11, 11.23, and 11.31. Once we get the migration done I'll then work on securing the connection with GSSAPI.