Internet Express for Tru64 UNIX Version 6.10 Administration Guide (5900-1418, March 2011)
5. Verify that the accounts branch works by entering the following command, substituting the
values you found in step 1 for searchbase, machine_dn, and machine_pass:
/usr/local/bin/ldapsearch \
-D "machine_dn" -w "machine_pass" \
-b "searchbase" \
ou=accounts
6. Use the Administration utility (or manually edit the /etc/ldapcd.conf file) to add the
following entry, substituting the value you found in step 1 for searchbase:
userbranch: ou=accounts,searchbase
Note:
After you add a default user or group branch to the /etc/ldapcd.conf file, the Administration
utility and the LDAP utilities in /usr/internet/ldap_tools use this branch by default. As a
result, other entries that were created before you added the group or user branch might be masked.
Extended LDAP Schema for UNIX Account Information
Internet Express depends on the existence of certain object classes and attributes being present in
the directory server. These items are defined by RFC 2307 and are present when you use a directory
server installed by Internet Express.
If you are planning on using a directory server not installed by Internet Express, you will need to
verify that required schema elements are present. The required schema elements are documented
in RFC 2307. This RFC can be found at:
http://www.faqs.org
If you want to use schema objects other than those defined in RFC 2307, and are planning on
using the Internet Express LDAP authentication module, you will have to change the default
configuration to recognize your custom objects and attributes. The needed changes can be made
using the Internet Express system administration user interface (see Section : Default Configuration
for the LDAP Module for System Authentication).
The Internet Express kit includes LDAP utilities that work with the RFC 2307 schema objects supplied
by Internet Express. See Section : Utilities for Maintaining User Information in the LDAP Directory
Server for information on these utilities. Note that these LDAP tools are sensitive to the directory
servers schema and so will not be able to support a schema that differs greatly from the RFC 2307
definition. A provided tool, /usr/internet/ldap_tools/ldap_check, can be used to verify
the schema once the configuration changes have been made.
The LDAP utilities require the userPassword attribute that can store and return unchanged the
supplied value which is in the form:
{crypt}crypted-string
where {crypt} is a keyword or phrase used to indicate the type of password encryption for the
passwd file and crypted-string is the encrypted password.
Directory servers provided by Internet Express properly handle this feature. Other directory servers,
such as Oracle's Internet Directory will interpret the supplied string as a password to be encrypted
and will return a value that is not compatible with the standard BSD crypt mechanism. When using
such a directory server, it is necessary to create a schema object similar to the RFC 2307
unixAccount object, except with another attribute substituted for the standard attribute
userPassword. This substitute attribute should be of the type case exact string. Be sure to
use the substituted attribute name in the LDAP Caching Daemon Configuration File.
Example 3 shows sample user and group object class definitions.
70 User Authentication