Safeguard Authentication Services 5.0.2 - Administration Guide

Limitations of RFC 2307 as implemented by Microsoft

The RFC 2307 specification assumes that the cn attribute is multivalued. In Active Directory, the cn attribute is single-valued. This means that you must create aliases as separate objects.

NIS is case-sensitive and Active Directory is case-insensitive. Some aliases for certain NIS map entries are the same keys except all capitalized. Active Directory cannot distinguish between names that differ only by case.

Installing and configuring the Safeguard Authentication Services NIS components

To ensure that the NIS proxy agent daemon, vasypd, does not cause any system hangs when you install, configure, or upgrade it, follow the steps for each supported Unix platform outlined in this section.

Installing and configuring the Linux NIS client components

You can find the vasyp.rpm file in the client directory for your Linux operating system on the installation media.

To install and configure vasyp on Linux

1. Ensure that the system ypserv daemon is stopped by running the following as root:

   # /etc/init.d/ypserv stop

   Note: You do not need to do this if you have not previously configured ypserv.
   

   Note: This option is not available on SUSE Linux (11 or later) or on Red Hat.
   

2. Ensure that the system ypserv daemon is not configured to start at system boot time.

   The commands for doing this vary for the different supported Linux distributions. Please see your operating system documentation for instructions on disabling system services.

3. Ensure that the system ypbind daemon is not running by entering the following command:

   # /etc/init.d/ypbind stop

4. Ensure that the system ypbind daemon is configured to start at system boot time.

   The commands for doing this vary for the different supported Linux distributions. Please see your operating system documentation for instructions on enabling system services.

5. As root, mount the Safeguard Authentication Services installation CD, change directories into the linux directory, and run the following command:

   # rpm -Uvh vasyp-<version>.<build number>.rpm

   As part of the install process, vasyp is registered with chkconfig to start at system boot time.

6. Configure the ypbind daemon to only talk to NIS servers on the local network interface by modifying /etc/yp.conf to contain only the following entry:

   ypserver localhost

   You can use either localhost or the actual hostname.

7. Set the system NIS domain name to match the Active Directory domain to which you are joined by running the following command as root:

   # domainname example.com

   where example.com is the domain to which your machine has been joined.

   Set the NIS domain name permanently on Red HatLinux by modifying /etc/sysconfig/network to have the following option:

   NIS_DOMAIN="example.com"

   where example.com is the Active Directory domain to which the machine is joined.

   On SUSE Linux, modify the /etc/defaultdomain file to include only example.com where example.com is the Active Directory domain to which you are joined.

8. Start vasyp with the following command:

   # /etc/init.d/vasypd start

9. Start ypbind with the following command:

   # /etc/init.d/ypbind start

   You can now use the NIS utilities like ypwhich and ypcat to query vasyp for NIS map data.

Installing and configuring the Oracle Solaris NIS client components

You can find the vasyp.pkg file in the client directory for your Oracle Solaris operating system on the installation media.

To install and configure vasyp on Oracle Solaris

1. Stop the system ypserv and ypbind daemons by running the following commands as root:

   1. Stop ypbind

      # svcadm disable nis/client

   2. Stop vasypd

      # svcadm disable vasypd

   3. Stop ypserv

      # svcadm disable network/nis/server

      Note: When installing the Safeguard Authentication Services vasypd Unix component on Oracle Solaris 10 (or later), you must have the rpcbind service enabled on the host for this service to start. To enable it, run this command:

      # /usr/sbin/svcadm enable -s network/rpc/bind

2. As root, mount the installation CD, change to the solaris directory, and run the following command:

   # pkgadd -d vasyp_SunOS_<platform>-<version>.pkg all

3. Create the /var/yp/binding/example.com directory where example.com is the Active Directory domain to which you are joined.
4. Create the /var/yp/binding/example.com/ypservers file and add the following line or modify the existing file to only contain this line:

   localhost

5. Set the system NIS domain name to match the Active Directory domain to which you are joined by running the following command as root:

   # domainname example.com

   where example.com is the domain to which your machine has been joined.

   Note: This only sets your NIS domain name for the current environment.

6. Set the NIS domain name permanently by modifying /etc/defaultdomain to include only the following line:

   example.com

   where example.com is the Active Directory domain to which you are joined.

7. Start vasyp with the following command:

   # /etc/init.d/vasypd start

8. Start ypbind with the following command:

   # svcadm enable nis/client

You can now use the NIS utilities like ypwhich and ypcat to query vasyp for NIS map data.