LDAP-UX Client Services B.04.00 Release Notes
LDAP-UX Client Services Release Notes
Limitations in LDAP-UX Client Services
Chapter 1 33
To change entries in a directory, you can use directory administration
tools such as ldapmodify, ldapsearch, ldapdelete and ldapentry.
Clear Text Passwords
login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text
(unencrypted) over the network unless SSL or SASL Digest-MD5
authentication is enabled with setup. However, SASL DIGEST-MD5 may
pose a security risk as the Directory Server may store the password in
clear text.
(NOTE: By default, SSL and SASL DIGEST-MD5 authentication is
disabled)
You can alternately use secure encrypted transport through the
IPSec/9000 product for stronger security. See the IPSec/9000
documentation at: http://docs.hp.com/hpux/communications/.
Man page for ldapclientd.conf
Limitations in the man command require specifying the section number
as man 4 ldapclientd.conf to view the man page for ldapclientd.conf.
LDAP Security Policy Enforcement
With LDAP directory servers that support security policies (such as
account or password expiration), it is possible for HP-UX logins to adhere
to these polices.The design of the LDAP protocol enforces both
authentication and security polices in the same operation (ldap_bind).
The design of the PAM subsystem separates authentication and security
policy enforcement into two separate APIs, as configured under the
"auth" and "account" portions of the /etc/pam.conf file. Because of
these design differences, administrators need to be aware that it’s not
possible to use libpam_ldap for either just authentication or just
security policy enforcement. For example, it is not possible to use ssh
publickeys for authentication, and then use libpam_ldap for account
policy enforcement, since libpam_ldap does not have a password with
groupadd(1M),
groupdel(1M),
groupmod(1M)
These commands do not manage group
information in the directory.
Table 1-5 (Continued)