Problem setting up LDAP-UX with AD

Jeffrey W Watts · ‎10-27-2009

Hello, I'm trying to set up a bunch of HP-UX 11.11, 11.23, and 11.31 servers to authenticate against AD. The AD servers in question are a mix of Win2003 (not R2) and Win2008 - all will be Win2008 within a few months).

The AD schema already has the RFC2307 support, and I already have 110 RHEL Linux boxes authenticating against AD using pam_krb5 and nss_ldap.

On a test system running 11.23, I've installed the following packages using swinstall:
J4269AA_B.04.20_HP-UX_B.11.23_IA_PA.depot
KRB5CLIENT_D.1.6.2.04_HP-UX_B.11.23_IA_PA.depot
PAMKerberos_C.01.26_HP-UX_B.11.23_IA_PA.depot

The PHSS_39765 KRB5-Client patch is also installed.

Kerberos works fine, I can kinit and so forth against the AD servers. However, LDAP-UX bombs out early in the install.

Here's what happens. I run /opt/ldapux/config/setup, select 2 for AD, put in the hostname of the root AD server that is the schema master. I then have the AD admin put in his credentials to bind to it. That succeeds. It then asks if I want to extend the schema.

When we put in the admin's DN and password, the setup program bombs out and displays the following error:

PFMERR 43: Can't extend LDAP-UX Configuration profile schema on the Directory Server

We've confirmed that the admin account has schema privileges and we're connecting to the server that's the schema master. To rule out a Win2008 issue we moved the master to a Win2003 box and had the same issue.

I've read Eric Roseme's excellent Unified Login guide and I can't figure out what's wrong. Looking at the guide we are failing after the last step on page 23.

Any help would be appreciated. I'm under a lot of time pressure to get this completed. I can look at building PADL's nss_ldap, but I'd really rather not as the LDAP-UX software looks very well supported.

Thanks in advance.

Steven E. Protter · ‎10-27-2009

Shalom,

For HP-UX to work those Windows 2003 boxes either need to be patched or R2.

If they are not patched, they will not work.

Sorry.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Jeffrey W Watts · ‎10-27-2009

Could you be more specific? Which patches? The Win2003 servers I mentioned have already had their schema extended to support RFC2307.

Also, as I said in my post, the schema master was a Win2008 server. It failed on that host, too.

Jeffrey W Watts · ‎10-28-2009

I should clarify, the Win2008 domain controllers are Win2008R2.

sl19797 · ‎10-30-2009

After LDAP-UX profile schema was extended to AD, setup program immdeiately checks to verify if the schema does get extended. Maybe, AD server delays the update. You can run setup once more time to see if it asks you to extend schema again. Most likely, the problem will be gone.

Jeffrey W Watts · ‎10-30-2009

Thanks for the reply. I've actually run the command countless times over two days. Same result.

LDAP-UX has some strange behavior with how it handles DNs. On the initial bind step where it checks to see if the schema has been extended already, if I put in the following DN it fails, saying "ldap_simple_bind: Invalid credentials":
CN=Bar\, Foo,OU=Domain Managers,OU=Domain Management,DC=hrblock,DC=net

If I wrap that DN in double quotes ("), it succeeds. However on the next step (extending the schema, apparently), if I put in the same DN in double quotes I get the above mentioned PFMERR43 error.

Here is what bothers me about this - why doesn't LDAP-UX properly handle unusual DNs? It should be quoting whatever you put in before passing it to ldapmodify already. The fact that I have to double quote the DN in the setup utility makes me wonder how LDAP-UX is handling passed variables.

There is further weirdness. We created a copy of the admin's account and put it in the Users folder. The reason was so that we could have a DN that didn't require escaping. It was named:
CN=Test01,CN=Users,DC=hrblock,DC=net

This account is able to bind and do queries with ldapsearch, but fails every time with the /opt/ldapux/config/setup command. I get the "ldap_simple_bind: Invalid credentials" error every time, and the AD server shows errors in authentication. Anyone have any suggestions?

I'm also looking to see if I can find the exact schema changes that LDAP-UX wants to do, in an LDIF, and just have the Windows guys install the schema on their side.

If I do that, will I be able to bypass the schema extension step?

Thanks for any help.

Bob Neal-Joslin · ‎10-30-2009

Hi Jeffrey,

I'm not sure I can explain the issue with troubles binding after creating a new user.

In regards to an alterative way to bind, with ADS, its sometimes possible to use the uid@domain notation to specify the bind ID instead of a DN. So instead of "cn=administrator,cn=users,dc=my,dc=org", you can simply say "administrator@my.org". See if that syntax works for for you.

In regards to LDIF for direct import, allow me to research to see what might have already been created. If I can't find anything, I'll craft one up. It's defined by RFC 4876.

We'll also test to try to reproduce the non-plain DN issue.

Thanks,

Bob

Bob Neal-Joslin · ‎10-30-2009

Hi again.

Here's the promised schema LDIF file. I don't have an ADS server available today for me to test this, so buyer beware. Anyway, you should be able to install this with ldapmodify to the schema master. But, be sure to replace "[DOMAIN_DN]" with the actual domain base DN for your environment.

See the attached file.

BTW, yes we do try our best to provide good support for LDAP-UX. So feel free to contact your HP support representative, to start tracking this issue.

Bob

Jeffrey W Watts · ‎11-02-2009

Thanks a lot Bob. I'll get the LDIF ready for the Windows admin for when he's back in town next week.

If it helps, here's how the servers are laid out. Let's call our base domain example.com. Within this forest there are two domains foo.example.com and bar.example.com. Foo is the core network and bar is the DMZ network. Both domains have users, and I need to have systems in both domains authenticate. Neither domain trusts the other.

For Linux, I have separate configs for the two domains (though not much is different other than the domain names and where the access groups are located). For HP-UX, I'm planning on doing the same, setting up the config in both domains separately.

What we've been trying to do is extend the schema on the base controllers dc1.example.com and dc2.example.com. We'd then set up a profile in foo.example.com and bar.example.com.

Anyhow, we've had no luck getting the schema to extend on those two servers. One is Win2003 (not R2, but using the RFC2307 compliant schema), the other is Win2008R2. We'll try to extend the schema from the Windows side using this LDIF, assuming that there's not a better way to do it from LDAP-UX - or if somehow I'm doing something wrong, which is very possible.

Please keep in mind that my expertise is with Linux, IRIX, and Solaris. I don't have a lot of HP-UX experience so please let me know if there's something I might be missing.

Jeffrey W Watts · ‎11-11-2009

Working with a profile LDIF provided by Monty (@ HP Support) I was able to get this working. Monty believes that the schema issue may be related to not using the Administrator account.

However, to be honest it's much easier for us to just use a ldapux_profile.ldif that's pushed out to the servers and then create the .bin manually. I'm not sure if it's in the documentation anywhere (I didn't see it), but if it isn't I'd highly recommend adding a chapter on doing this method and bypassing the AD schema extension. It's much easier for us to do it this way.

Thanks for all your help, so far everything seems to be working well with SIMPLE auth on 11.11, 11.23, and 11.31. Once we get the migration done I'll then work on securing the connection with GSSAPI.

Jeffrey W Watts · ‎11-17-2009

Here is the solution I'm using for HP-UX 11.11, 11.23, and 11.31.

In case you're interested, I'm using a modified version of the profile Monty gave me, and a small install script to push out the configuration.

In advance of the migration, I'm installing the following software updates:
PAM_Kerberos
PAM_mkhomedir (from internet express)
KRB5CLIENT
LDAP-UX

I push out the following updated files to a vanilla system:
krb5.conf
ldapclientd.conf
ldapux_client.conf
ldapux_profile.ldif
nsswitch.conf
pam_authz.policy
pam.conf
pcred

/opt/ldapux/config/create_profile_cache
/sbin/init.d/ldapclientd.rc restart

I'd recommend that HP better document this method, as to be honest it can be far simpler to implement than using the setup program, especially in complex AD environments like mine where access to Administrator is restricted and where the Windows admins may be uncomfortable with the changes.

Thanks for all your help,
Jeffrey.

Bob Neal-Joslin · ‎11-17-2009

A "local-only" profile is planned for an upcomming release, though we can't make commitments as to dates or features at this time. So we're looking to provide a "user-friendly" way to set up "schema-less" operation.

In regards to non-admin install of the schema, we'll do some testing, and see if we have any ideas or recommendations.

Bob

Jeffrey W Watts · ‎11-17-2009

Thanks Bob!

grahamswilson · ‎01-28-2010

Hi Jeffrey,

I think this was all resolved for you now, but I'm certainly interested in this posting!

I am working through Eric Roseme's document (v2 October 2009) now and had three questions.

1. For the installation of "Identity Management for UNIX" and subcomponents (particularly the "Server for NIS" component) - did you install that on a DC in your base/forest domain, or did you install it on DC's in both of your child domains? The guide (page 10) does say root domain, but I have to be cautious and it would be good to see if that's what you did!

2. We have a 2003R2 schema so I know we are already RFC2307 ready - but I have to deal with the best way to do the tiny schema update that you were originally having issues with. Because of our very complicated AD (1 forest, 5 child domains), our AD team get very twitchy about schema updates... I would much prefer to let them update the schema first, so that when I run the LDAP config utility it will see that no update is required...

I saw that Bob Neal-Joslin had kindly compiled the LDIF for you - with the caveat "buyer beware" as he couldn't test it.

Was that the LDIF that worked for you? I saw you mention one from Monty @ HP...

If you could let me know how you did ultimately get a working LDIF (or even send me yours so I can try and tailor it to our domain), that would also be great!
Assuming I am right in saying that once the Windows guys had applied that schema update directly, the LDAP config utility simply skipped that step?!

3. Did the Windows guys do the manual schema update on the root domain or each of the two child domains where your users are? It looks to me like it is suppoed to be in the child domains, but I cant be sure.

I also like the sound of your "manual" process - but seeing as I haven't done one the "proper" way yet, I have no real idea of what goes in some of those files!

Any advice you could provide would be most appreciated!

Cheers,
Graham.

Jeffrey W Watts · ‎01-28-2010

Hey Graham. My personal opinion is that unless you have a very large or complex installation (many domains or many servers) I would NOT use the bundled configuration utility.

The profile object in AD is a nice thing to have if you need to configure servers in many domains and you want to be able to update their configuration centrally, but to be honest for the vast majority of people I think it's simpler to just create your own LDIF and push it out to the clients.

We have about 100 servers, and the migration was really easy once I stopped trying to use the setup tool.

To answer your questions:

1) We don't have Identity Management for UNIX installed. It's not needed, unless you want the snap in to manage attributes via "Users and Computers". All that's needed is a RFC2307 compliant schema. I'm sure it's mentioned in the documentation as one way of getting a compliant schema, but you already have that.

2) In our situation, the root of our forest is using the RFC2307 compliant schema (from Win2008R2), so all of the domains are using it. You do NOT need the schema update from LDAP-UX to get LDAP-UX to work with AD. The documentation from HP is a bit misleading in that regard. The schema update is ONLY for the profile object that allows the setup utility to get the configuration from the AD server. If you provide your own LDIF, it's not needed at all.

The LDIF worked great for me, once I tweaked some of the attribute mappings to match what we use. I'll attach a sanitized version of it so you can use. It may work for you out of the box, but keep in mind that we probably store our data in slightly different places than you do.

3) If you provide your own LDIF no changes are required to the AD servers at all (unless you want the snap-in for Users and Computers). I was a very happy boy once I figured that out, as I like to minimize my interactions with (and modifications to) the AD server.

Here's the basic steps for getting this to work:

1) Edit the LDIF and customize it for your environment.
2) Make sure you're using the latest PAM_Kerberos, LDAP-UX, and KRB5CLIENT or YMMV.
3) Configure ldapclientd.conf and enable StartOnBoot. Enable only the services at the end of the file that you need (like passwd, group, etc).
4) Edit ldapux_client.conf as need be. Make sure no configuration is present under the [profile] section - this is the part that tells LDAP-UX to get its information from the AD server. You don't want it to get it from anywhere other than the local cache.
5) Push your custom ldapux_profile.ldif to /etc/opt/ldapux.
6) Copy out your pre-generated pcred file (for authenticating to the AD server) or generate it at time of install.
7) Run create_profile_cache and restart the ldapuxclientd daemon. If you have the custom LDIF in the right space with the right name (given above) no options are needed.
8) Profit.

I hope this helps, let me know if you have more questions. I found this method was MUCH easier for us as we could easily script it.

P.S. Don't worry about the weird unprintables in the LDIF related to the schema object. They're not used.

grahamswilson · ‎02-02-2010

Thanks!

I have started a new thread - http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1404907 - with a continuation question(s)...

This way I can assign points - I owe you already.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Problem setting up LDAP-UX with AD

Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD

Re: Problem setting up LDAP-UX with AD