LDAP-UX Client Services B.04.00 Release Notes
LDAP-UX Client Services Release Notes
Limitations in LDAP-UX Client Services
Chapter 134
which it can use to bind to the directory server. The same is true if
Kerberos is used for authentication; libpam_ldap can not be used for
security policy enforcement alone.
SASL/GSSAPI Profile Download Support
The current release of LDAP-UX does not support downloading of the
LDAP-UX profile automatically, when used with SASL/GSSAPI
authentication, and that authentication uses a host or service principal,
where that principal’s key is stored in a Kerberos keytab file.This
limitation impacts the ability of the LDAP-UX product to support the
"profile time to live" feature, which automatically will re-download a
profile after it’s profileTTL time period has expired.
In this situation, profiles can still be downloaded manually using the
get_profile_entry command, as long as a principal and password
provided on the command line.The following command shows an
example of how to download the profile manually. If your profile changes
frequently, you may wish to place this in a script that is called
periodically by cron.
/opt/ldapux/config/get_profile_entry -s NSS -D \
"<administrator@my.domain.org>" -w "<adminpassword>"
Changing authentication methods
If you wish to switch from your current authentication method, such as
SIMPLE or SASL/DIGEST-MD5 to SASL/GSSAPI, TLS:SIMPLE or
TLS:SASL/DIGEST-MD5, you must restart the ldapclientd daemon after
making the configuration changes. This step is required to assure that
the proper GSS API, Kereros and/or SSL initialization is completed.
Supported Features For Particular Directory Servers
The following shows the supported fearures for particular directory
servers:
Feature Netscape Microsoft ADS
Directory Server
-------------------------------------------------------------
passwd name service Supported Supported
group name service Supported Supported
netgroup name service Supported Not Supported
hosts name service Supported Supported