LDAP-UX Client Services B.04.00 Release Notes HP-UX 11i v1, v2 and v3 Manufacturing Part Number : J4269-90069 E0207 © Copyright 2007, Hewlett-Packard Company. .
Legal Notice Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Copyright © 2005 Hewlett-Packard Company. This document contains information which is protected by copyright.
1 LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview LDAP-UX Client Services integrate HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. Client systems get name service data from an LDAP directory as well as from /etc/passwd and /etc/group files and other name services.
LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview migration. In addition to NIS+ migration support, several enhancements are added. This release contains the following enhancements and changes: • Support for AutoFS maps AutoFS is a client-side service that automatically mounts appropriate file systems when users request access to them. If an automounted file system has been idle for a period of time, AutoFS unmounts it.
LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview controls must be migrated manually. The NIS+ migration scripts support migration of the following NIS+ service data to an LDAP directory server: — groups — password — hosts — services — rpc — netgroup — protocols — networks — autofs — publickey — user-defined map Migration scripts are provided to ease the task of importing your NIS+ data into the LDAP directory.
LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview using PAM-Kerberos. Refer to the “SASL/GSSAPI Support” section in LDAP-UX Client Services B.04.00 with Microsoft Windows 2000/2003 Administrator’s Guide for details. • Support for pam-authz login authorization enhancements Prior to LDAP-UX Client Services version B.04.00, pam_authz uses netgroups as the method to define access rights to an HP-UX host or other pam-enabled applications.
LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview A new configuration option has been added to ldapux_client.conf that allows the innetgr() function to do case insensitive comparisons of user names. By default, this option is disabled. • LDAP printer configurator supports lpadmin options The LDAP printer configurator now supports the ability for the administrator to specify default lpadmin options. These lpadmin options can be used when adding printers to LDAP.
LDAP-UX Client Services Release Notes Known Problems fixed in this release Known Problems fixed in this release The following is a list of defect fixes in this release: • Defect Number JAGae08363 Debugging logs sometimes can cause core. • Defect Number JAGaf05041 User will see debug code when running lpc_shut script. • Defect Number JAGaf13435 ldapentry cannot modify entries returned with ldif versioning headers.
LDAP-UX Client Services Release Notes Known Problems fixed in this release Anonymous SSL bind now supports Digest-MD5 authentication. • Defect Number JAGaf48124 setup should not allow referrals for DIGEST-MD5 authentication. • Defect Number JAGaf48478 The migrate_group.pl script creates ou=Group, not consistent with Netscape Directory Server. • Defect Number JAGaf50383 getgrbymeber shouldn’t search user’s dn if X500 is not configured.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Changes are made to improve interoperability with profiles generated by Solaris. • Defect Number JAGaf64532 ldappasswd core dumps on 11.23 with SSL. Installing, Configuring and Removing LDAP-UX LDAP-UX Client Services This section provides basic instructions for installing and configuring the LDAP-UX Client Services.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Patch Requirements For 11i v1, HP requires that you install the patch listed in Table 1-1, this table is shown below. For 11i v2, HP requires that you install the patch listed in Table 1-2, this table is shown below. For 11i v3, the patch is not required.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Table 1-1 Required HP -UX 11i v1 Patches (Continued) Patch Number NOTE 12 Platform Automatic Reboot? Description PHKL_30398* Workstation/ Server no KI FSS ID and KI_rfscall patch. PHNE_27796 Workstation/ Server no libnss_dns DNS backend patch. PHCO_31903* Workstation/ Server no libc cumulative patch. PHCO_31923* Workstation/ Server no libc cumulative header file patch.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Patches for Related Products on HP-UX 11i v2 In order to use some of the feature of the LDAP-UX Client Services B.04.00 on HP-UX 11i v2, Table 1-2 shows patches for other products are needed: Table 1-2 Patches on HP-UX 11i v2 Patch Number PHNE_33100 NOTE Platform Workstation/ Server Automatic Reboot? yes Description ONC AutoFS LDAP support patch. If AutoFS support with LDAP is not required, PHNE_33100 is not required.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Publickey-LDAP software bundle listed on table 1-3 and LDAP-UX Client Services B.04.00 or later. On HP-UX 11i v3, the software bundle is not required. Table 1-3 Enhanced Publickey -LDAP Software for HP-UX 11i v1 or v2 Patch Number Platform Automatic Reboot? Description Enhkey B.11.11.01 HP-UX 11i v1 yes Enhanced Publickey LDAP software bundle Enhkey B.11.23.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX NOTE If publickey support with LDAP is not required in your environment, installation of the Enhkey software bundle is not required. Kerberos Support on HP-UX 11i v1 or v2 In order to support integration with Active Directory Server, a specific version of the PAM-Kerberos product is required. On HP-UX 11i v1, version 1.11 of the PAM-Kerberos product is required. On HP-UX 11i v2, version 1.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Step 2. Run swinstall and install the LDAP-UX Client Services (LdapUxClient subproduct). It installs the product software in /opt/ldapux and /etc/opt/ldapux directories. Step 3. If you require ONC publickey, ONC AutoFS, or integration with Active Directory Server, please see the above section for details about required product versions and how to obtain them. Install those products and/or patches for this step. Step 4.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX 4I2vvzz2i1Ubq+Ajcf1y8sdafuCmqTgsGUYjy+J1weM061kaWOt0HxmXmrUdmenF skyfHyvEGj8b5w6ppgIIA8JOT7z+F0w+/mig= --------------- END CERTIFICATE -------------------------------------- Step 2. Use the rm command to remove the old database files, /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db: rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db Step 3.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX /opt/ldapux/contrib/bin/certutil -A -n my-server-cert -t \ "P,," -d /etc/opt/ldapux -a -i /tmp/mynew.cert NOTE The -t "p,," represents the minimum trust attributes that may be assigned to the LDAP server’s certificate for LDAP-UX to successfully use SSL to connect to the LDAP directory server. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.ht ml for additional information.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Step 2. Save a copy of /etc/pam.conf and modify the original file to add /usr/lib/security/libpam_ldap.1 on the HP-UX 11i v1 system or libpam_ldap.so.1 on the HP-UX 11i v2 system where it is appropriate. If your system is in the standard mode, see /etc/pam.ldap for an example. If your system is in the Trusted Mode, see /etc/pam.ldap.trusted for an example. NOTE If you use PAM Kerberos, you must configure PAM Kerberos.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Alternately, you can manually re-link the attribute configuration file to SFU 2.0 before running migration. Use this command to switch to SFU 2.0: ln -fs /etc/opt/ldapux/default_profile_attr_ads_sfu2.ldif\ /etc/opt/ldapux/default_profile_attr_ads.ldif LDAP-UX Client Services will also use SFU 2.0 in the absence of the softlink /etc/opt/ldapux/defualt_profile_attr_ads.ldif.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX PROFILE_ID="acct.myorg.mycom.com" LDAP_HOSTPORT="192.10.10.12:389" PROFILE_ENTRY_DN="cn=ldapuxprof,cn=configuration,dc=acct,dc=myorg,dc=mycom, \ dc=com" PROGRAM="/opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com" After you update the product to version B.04.
LDAP-UX Client Services Release Notes NIS/LDAP Gateway NIS/LDAP Gateway This section provides basic instructions for installing the NIS/LDAP Gateway. For complete installation and configuration instructions, see NIS/LDAP Gateway Administrator’s Guide. Preparing for Installation Verify you have at least five megabytes of free disk space under /opt. Installing the NIS/LDAP Gateway Use the SD-UX facility for installation. See the swinstall(1M) man page for details. Step 1. Log in to your system as root.
LDAP-UX Client Services Release Notes NIS/LDAP Gateway preload_maps to preload_maps group.byname. The user you identify in the binddn must be an LDAP directory user that is allowed to read the userPassword attribute • If the NIS domain you use is the same as the domain being used by an existing NIS server, you must stop and disable the NIS server. You can do this by executing the command /sbin/init.d/nis.server stop to stop the NIS server.
LDAP-UX Client Services Release Notes Installing and Configuring LDAP Client Administration Tools Installing and Configuring LDAP Client Administration Tools This section provides basic instructions for installing the LDAP Client Administration Tools. For complete installation and configuration instructions, see NIS/LDAP Gateway Administrator’s Guide. Preparing for Installation Verify you have at least 36 megabytes of free disk space under /opt.
LDAP-UX Client Services Release Notes Documentation Documentation The documentation below is available on the HP-UX Documentation web site at http://docs.hp.com/hpux/internet or where indicated. Table 1-4 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title Chapter 1 Description LDAP-UX Client Services B.04.00 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90053) LDAP-UX Client Services B.04.
LDAP-UX Client Services Release Notes Documentation Related Documentation 26 • Netscape Directory Server for HP-UX Administrator’s Guide and other titles available at: http://docs.hp.com/hpux/internet • NIS/LDAP Gateway Administrator’s Guide (J4269-90028) available at: http://docs.hp.com/hpux/internet • Various white papers related to LDAP-UX are available at: http://docs.hp.com/hpux/internet • Preparing your LDAP Directory for HP-UX Integration White Paper available at: http://docs.hp.
LDAP-UX Client Services Release Notes Known Problems and Workarounds Known Problems and Workarounds For LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server If password expires, the user cannot log into HP-UX clients. The administrator will have to reset the password or the user will have to log into the Windows 2000 or 2003 system to reset password before he can log into HP-UX machines.
LDAP-UX Client Services Release Notes Known Problems and Workarounds A single entry representing a host/computer in an LDAP directory can contain multiple IP addresses for each hostname record. The /etc/hosts file, however, requires a separate entry for each IP address. If the system has been configured with multiple IP addresses for the same hostname, then the migration script migrate_host.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services Limitations in LDAP-UX Client Services The following are limitations in this version of the LDAP-UX Client Services. /etc/pam.conf HP delivers two PAM example configuration files, /etc/pam.ldap and /etc/pam.ldap.trusted, in this release. You need to configure /etc/pam.conf properly for LDAP-UX to work as expected.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services • Microsoft Windows 2000/2003 Active Directory - Fully tested and supported • OpenLDAP 2.1.13a - Verified with limited support — Manual schema installation required • Novell eDirectory 8.7 - Minimally verified • IBM IDS 5.1 - Minimally verified • Oracle Internet Directory 9.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services — group — netgroup — services — rpc — hosts — networks — autofs — publickey — protocols — user-defined maps • LDAP-UX Client Services using Windows 2000/2003 Active Directory Server does not support netgroup, automount and publickey service data. • LDAP-UX Client Services using Windows 2000/2003 Active Directory Server currently supports hosts, protocols, networks, rpc, and services in a single domain.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services SSL With Windows 2000 Active Directory Server The Windows 2000 Active Directory Server requires Services Pack 4. Limitations of Printer Configurator • The new LDAP printer schema based on IETF is imported into the LDAP Directory Server to create the printer objects.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services Table 1-5 (Continued) groupadd(1M), groupdel(1M), groupmod(1M) These commands do not manage group information in the directory. To change entries in a directory, you can use directory administration tools such as ldapmodify, ldapsearch, ldapdelete and ldapentry.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services which it can use to bind to the directory server. The same is true if Kerberos is used for authentication; libpam_ldap can not be used for security policy enforcement alone.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services networks name service protocols name service rpc name service automount name service aliases name service services name service publickey name service printer configurator pam_authz X.500-style group syntax pam_ldap Trusted Mode Security[5] Standard Mode Security LDAP Command-line Utils.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services 4. pam_kerberos has been integrated with LDAP to fully support Windows domain authentication and should be used instead of pam_ldap. 5. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities stored in the local host are controlled by the local security policy. Identities stored in an LDAP directory are controlled by the LDAP security policy. 6.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services For example, if a new group in a different section of the dictionary is created to contain all UNIX users and the common name (CN) of this group is a duplicate of an existing name, the migration will fail because the sAMAccountName attribute is not unique. You can work around this limitation by modifying the LDIF file to use a unique value for sAMAccountName.
LDAP-UX Client Services Release Notes Limitations in NIS/LDAP Gateway Limitations in NIS/LDAP Gateway The following are limitations in this version of the NIS/LDAP Gateway. • Crypt Passwords The NIS/LDAP Gateway product requires that user passwords be stored in the directory server in the same format as stored in an /etc/passwd file. This is known as “Unix Crypt” format. If your directory server does not understand the {crypt} data type, you can still use the NIS/LDAP Gateway server.
