- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Problem setting up LDAP-UX with AD
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2009 09:29 AM
тАО11-17-2009 09:29 AM
Re: Problem setting up LDAP-UX with AD
In case you're interested, I'm using a modified version of the profile Monty gave me, and a small install script to push out the configuration.
In advance of the migration, I'm installing the following software updates:
PAM_Kerberos
PAM_mkhomedir (from internet express)
KRB5CLIENT
LDAP-UX
I push out the following updated files to a vanilla system:
krb5.conf
ldapclientd.conf
ldapux_client.conf
ldapux_profile.ldif
nsswitch.conf
pam_authz.policy
pam.conf
pcred
/opt/ldapux/config/create_profile_cache
/sbin/init.d/ldapclientd.rc restart
I'd recommend that HP better document this method, as to be honest it can be far simpler to implement than using the setup program, especially in complex AD environments like mine where access to Administrator is restricted and where the Windows admins may be uncomfortable with the changes.
Thanks for all your help,
Jeffrey.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2009 09:56 AM
тАО11-17-2009 09:56 AM
Re: Problem setting up LDAP-UX with AD
In regards to non-admin install of the schema, we'll do some testing, and see if we have any ideas or recommendations.
Bob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-17-2009 12:00 PM
тАО11-17-2009 12:00 PM
Re: Problem setting up LDAP-UX with AD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2010 12:25 PM
тАО01-28-2010 12:25 PM
Re: Problem setting up LDAP-UX with AD
I think this was all resolved for you now, but I'm certainly interested in this posting!
I am working through Eric Roseme's document (v2 October 2009) now and had three questions.
1. For the installation of "Identity Management for UNIX" and subcomponents (particularly the "Server for NIS" component) - did you install that on a DC in your base/forest domain, or did you install it on DC's in both of your child domains? The guide (page 10) does say root domain, but I have to be cautious and it would be good to see if that's what you did!
2. We have a 2003R2 schema so I know we are already RFC2307 ready - but I have to deal with the best way to do the tiny schema update that you were originally having issues with. Because of our very complicated AD (1 forest, 5 child domains), our AD team get very twitchy about schema updates... I would much prefer to let them update the schema first, so that when I run the LDAP config utility it will see that no update is required...
I saw that Bob Neal-Joslin had kindly compiled the LDIF for you - with the caveat "buyer beware" as he couldn't test it.
Was that the LDIF that worked for you? I saw you mention one from Monty @ HP...
If you could let me know how you did ultimately get a working LDIF (or even send me yours so I can try and tailor it to our domain), that would also be great!
Assuming I am right in saying that once the Windows guys had applied that schema update directly, the LDAP config utility simply skipped that step?!
3. Did the Windows guys do the manual schema update on the root domain or each of the two child domains where your users are? It looks to me like it is suppoed to be in the child domains, but I cant be sure.
I also like the sound of your "manual" process - but seeing as I haven't done one the "proper" way yet, I have no real idea of what goes in some of those files!
Any advice you could provide would be most appreciated!
Cheers,
Graham.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-28-2010 03:36 PM
тАО01-28-2010 03:36 PM
Re: Problem setting up LDAP-UX with AD
The profile object in AD is a nice thing to have if you need to configure servers in many domains and you want to be able to update their configuration centrally, but to be honest for the vast majority of people I think it's simpler to just create your own LDIF and push it out to the clients.
We have about 100 servers, and the migration was really easy once I stopped trying to use the setup tool.
To answer your questions:
1) We don't have Identity Management for UNIX installed. It's not needed, unless you want the snap in to manage attributes via "Users and Computers". All that's needed is a RFC2307 compliant schema. I'm sure it's mentioned in the documentation as one way of getting a compliant schema, but you already have that.
2) In our situation, the root of our forest is using the RFC2307 compliant schema (from Win2008R2), so all of the domains are using it. You do NOT need the schema update from LDAP-UX to get LDAP-UX to work with AD. The documentation from HP is a bit misleading in that regard. The schema update is ONLY for the profile object that allows the setup utility to get the configuration from the AD server. If you provide your own LDIF, it's not needed at all.
The LDIF worked great for me, once I tweaked some of the attribute mappings to match what we use. I'll attach a sanitized version of it so you can use. It may work for you out of the box, but keep in mind that we probably store our data in slightly different places than you do.
3) If you provide your own LDIF no changes are required to the AD servers at all (unless you want the snap-in for Users and Computers). I was a very happy boy once I figured that out, as I like to minimize my interactions with (and modifications to) the AD server.
Here's the basic steps for getting this to work:
1) Edit the LDIF and customize it for your environment.
2) Make sure you're using the latest PAM_Kerberos, LDAP-UX, and KRB5CLIENT or YMMV.
3) Configure ldapclientd.conf and enable StartOnBoot. Enable only the services at the end of the file that you need (like passwd, group, etc).
4) Edit ldapux_client.conf as need be. Make sure no configuration is present under the [profile] section - this is the part that tells LDAP-UX to get its information from the AD server. You don't want it to get it from anywhere other than the local cache.
5) Push your custom ldapux_profile.ldif to /etc/opt/ldapux.
6) Copy out your pre-generated pcred file (for authenticating to the AD server) or generate it at time of install.
7) Run create_profile_cache and restart the ldapuxclientd daemon. If you have the custom LDIF in the right space with the right name (given above) no options are needed.
8) Profit.
I hope this helps, let me know if you have more questions. I found this method was MUCH easier for us as we could easily script it.
P.S. Don't worry about the weird unprintables in the LDIF related to the schema object. They're not used.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-02-2010 10:57 AM
тАО02-02-2010 10:57 AM
Re: Problem setting up LDAP-UX with AD
I have started a new thread - http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1404907 - with a continuation question(s)...
This way I can assign points - I owe you already.
- « Previous
-
- 1
- 2
- Next »