HPE Community
Operating System - HP-UX
1834394 Members
1781 Online
110066 Solutions
New Discussion

LDAP-UX using AD container for CN

 
Richard I Curtis
Frequent Advisor

‎06-25-2008 11:40 AM

‎06-25-2008 11:40 AM

LDAP-UX using AD container for CN

I am trying to configure LDAP-UX to authenticate to our 2003r2 AD servers, but I have hit a stumbling block.

Our Active directory looks like:
Domain.Com
Built-In
Computers
...
DC-Users
Admins
3rdParty

So, our admins are all in the container named DC-Users, then a sub-container again called Admins. Our suppliers are in the container DC-Users, then the sub-container 3rdParty.

Is it possible to configure the LDAP-UX lookups to use a CN of DC-Users, and then allow users from all sub-containers to login? - in this case, anyone from 3rdParty and Admins should be able to login.

Unfortunately, moving all the users into the same container (without sub-containers) is not an option for security reasons.
0 Kudos
Reply
4 REPLIES 4
Court Campbell
Honored Contributor

‎06-25-2008 12:08 PM

‎06-25-2008 12:08 PM

Re: LDAP-UX using AD container for CN

I don't have an answer, but I will say that my past (experimental) experiences I ran into issues with usernames that were more than 8 characters. If I remember correctly they couldn't logon and had some other issues. But that was awhile back. Good luck!
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Richard I Curtis
Frequent Advisor

‎06-25-2008 12:15 PM

‎06-25-2008 12:15 PM

Re: LDAP-UX using AD container for CN

Thankfully, all of the actual usernames are 8 characters or less...

As long as I can authorise all users from the sub-containers (sub-container names *may* have to contain space - I will have to look further into this), I should be OK.

Hopefully someone out there has a similar working setup so fingers crossed :)
0 Kudos
Reply
kevin_m
Valued Contributor

‎06-25-2008 12:31 PM

‎06-25-2008 12:31 PM

Re: LDAP-UX using AD container for CN

Yes you can setup multiple containers for login access. Run /opt/ldapux/config and at some point you'll be prompted for the base DN where LDAP-UX clients should look for user and group information. Use "CN=dc-users,DC=domain,DC=com" but don't include any subcontainers. If you're using PAM then user access can be controlled by adding groups to /etc/opt/ldapux/pam_authz.policy. If you want to restrict login access to admins, for example, only add the line 'allow:ldap_group:CN=admins,CN=dc-users,DC=domain,DC=com' and exclude the other groups.

There's a lot more to the configuration but let me know if this helps.

Kevin
0 Kudos
Reply
Richard I Curtis
Frequent Advisor

‎06-27-2008 03:16 AM

‎06-27-2008 03:16 AM

Re: LDAP-UX using AD container for CN

Excellent -that looks exactly what I need. I am unable to test it at this time as I am having other problems getting LDAP-UX to extend the schema. Once thats resolved, I will post back on this thread to confirm that the above works.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.