LDAP-UX Client Services B.04.00.02 Release Notes HP-UX 11i v1 Manufacturing Part Number : J4269-90066 E1005 © Copyright 2005, Hewlett-Packard Company. .
Legal Notice Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Copyright © 2005 Hewlett-Packard Company. This document contains information which is protected by copyright.
1 LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview LDAP-UX Client Services integrate HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. Client systems get name service data from an LDAP directory as well as from /etc/passwd and /etc/group files and other name services.
LDAP-UX Client Services Release Notes LDAP-UX Client Services Overview What’s New in Version B.04.00.02 LDAP-UX Client Services B.04.00.02 is supported on HP-UX release 11i v1. It is a fix release and addresses problems resolved since version B.04.00. Please refer to the section “Known Problems fixed in Version A.04.00.02” on page 4 for details.
LDAP-UX Client Services Release Notes Known Problems fixed in Version A.04.00.02 Known Problems fixed in Version A.04.00.02 The following is a list of defect fixes in this release: • Defect Number JAGaf70053 Resloved a potential error message when updating in OE envirnoment. The fix required modification in software depot packaging only. No functionality change in LDAP-UX is involved. • Defect Number JAGaf70909 In LDPA-UX setup, all leading blanks for attributemap string will be removed.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Preparing for Installation Memory Requirements. This product has minimal memory and disk requirements. However with the addition of the ldapclientd caching daemon, additional memory may be required to support very large name spaces (more than 50,000 users, for example) on very active hosts. The statistics operation (-S) on ldapclientd can be used to determine memory requirements.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX If these patches are not available, contact your HP support representative for the latest versions. A patch number can be superseded at any time. The following patch numbers were current as of May, 2005: Table 1-1 Required HP -UX 11i v1 Patches Patch Number Chapter 1 Platform Automatic Reboot? Description PHCO_30913 Workstation/ Server no libsec cumulative patch.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX NOTE 8 See the following notes: • If you store POSIX information of passwd and group in ADS multiple domains, PHSS_31163 is required. If you only use a single domain, PHSS_31163 is optional. Also note, if you want to use SASL/GSSAPI proxy authentication you should not install PHSS_31163, but instead must install the latest version of the KRB5CLIENT product available at http://software.hp.com.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX AutoFS With LDAP Support on HP-UX 11i v1 In order to support automount information in LDAP on HP-UX 11i v1, you must obtain and install Enhanced AutoFS version B.11.11.0509.1. The Enhanced AutoFS product can be downloaded from software.hp.com and is registered as the "ENHAUTO" product. It can be downloaded from: http://software.hp.com/portal/swdepot/displayProductInfo.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Kerberos Support on HP-UX 11i v1 In order to support integration with Active Directory Server, a specific version of the PAM-Kerberos product is required. On HP-UX 11i v1, version 1.11 or later of the PAM-Kerberos product is required. If you wish to also use SASL/GSSAPI for proxied authentication, version 1.3.5.03 or later of the Kerberos Client product is required. Version 1.3.5.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Step 4. Install required patches listed above, if they have not been installed yet. NOTE Starting with the LDAP-UX product version B.03.20 or later, system reboot is not required after installing the product. Configuring the LDAP-UX Client If you attempt to enable SSL support with LDAP-UX, you must configure the LDAP directory server to support SSL and install the security databases (cert7.db or cert8.db and key3.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX Step 3. Use the certutil utility with the -N option to initialize a new database: /opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux Step 4.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX NOTE The -t "p,," represents the minimum trust attributes that may be assigned to the LDAP server’s certificate for LDAP-UX to successfully use SSL to connect to the LDAP directory server. See http://www.mozilla.org/projects/security/pki/nss/tools/certutil.ht ml for additional information. If you want to use LDAP-UX with the Microsoft Windows 2000 or 2003 Active Directory with a version of Services for UNIX that is not 3.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX your system is in the standard mode, see /etc/pam.ldap for an example. If your system is in the Trusted Mode, see /etc/pam.ldap.trusted for an example. NOTE If you use PAM Kerberos, you must configure PAM Kerberos. On the HP-UX 11i v1 system, you need to add /usr/lib/security/libpam_kerberos.1 to /etc/pam.conf where it is appropriate. On the HP-UX 11i v2 system, you need to add libpam_kerberos.so.1 to /etc/pam.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX ln -fs /etc/opt/ldapux/default_profile_attr_ads_sfu2.ldif\ /etc/opt/ldapux/default_profile_attr_ads.ldif LDAP-UX Client Services will also use SFU 2.0 in the absence of the softlink /etc/opt/ldapux/defualt_profile_attr_ads.ldif. Profile Format Changes The profile format has been changed in the product version B.04.00. If you previously configured LDA-UX B.03.
LDAP-UX Client Services Release Notes Installing, Configuring and Removing LDAP-UX PROGRAM="/opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com" After you update the product to version B.04.00 successfully, you have to execute PROGRAM from the command line as follows: # /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.
LDAP-UX Client Services Release Notes Installing and Configuring LDAP Client Administration Tools Installing and Configuring LDAP Client Administration Tools This section provides basic instructions for installing the LDAP Client Administration Tools. For complete installation and configuration instructions, see NIS/LDAP Gateway Administrator’s Guide. Preparing for Installation Verify you have at least 36 megabytes of free disk space under /opt.
LDAP-UX Client Services Release Notes Documentation Documentation The documentation below is available on the HP-UX Documentation web site at http://docs.hp.com/hpux/internet or where indicated. Table 1-2 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title 18 Description LDAP-UX Client Services B.04.00 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90053) LDAP-UX Client Services B.04.
LDAP-UX Client Services Release Notes Documentation Related Documentation Chapter 1 • Netscape Directory Server for HP-UX Administrator’s Guide and other titles available at: http://docs.hp.com/hpux/internet • NIS/LDAP Gateway Administrator’s Guide (J4269-90028) available at: http://docs.hp.com/hpux/internet • Various white papers related to LDAP-UX are available at: http://docs.hp.com/hpux/internet • Preparing your LDAP Directory for HP-UX Integration White Paper available at: http://docs.hp.
LDAP-UX Client Services Release Notes Known Problems and Workarounds Known Problems and Workarounds For LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server If password expires, the user cannot log into HP-UX clients. The administrator will have to reset the password or the user will have to log into the Windows 2000 or 2003 system to reset password before he can log into HP-UX machines.
LDAP-UX Client Services Release Notes Known Problems and Workarounds A single entry representing a host/computer in an LDAP directory can contain multiple IP addresses for each hostname record. The /etc/hosts file, however, requires a separate entry for each IP address. If the system has been configured with multiple IP addresses for the same hostname, then the migration script migrate_host.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services Limitations in LDAP-UX Client Services The following are limitations in this version of the LDAP-UX Client Services. /etc/pam.conf HP delivers two PAM example configuration files, /etc/pam.ldap and /etc/pam.ldap.trusted, in this release. You need to configure /etc/pam.conf properly for LDAP-UX to work as expected.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services • Microsoft Windows 2000/2003 Active Directory - Fully tested and supported • OpenLDAP 2.1.13a - Verified with limited support — Manual schema installation required • Novell eDirectory 8.7 - Minimally verified • IBM IDS 5.1 - Minimally verified • Oracle Internet Directory 9.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services — group — netgroup — services — rpc — hosts — networks — autofs — publickey — protocols — user-defined maps • LDAP-UX Client Services using Windows 2000/2003 Active Directory Server does not support netgroup, automount and publickey service data. • LDAP-UX Client Services using Windows 2000/2003 Active Directory Server currently supports hosts, protocols, networks, rpc, and services in a single domain.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services SSL With Windows 2000 Active Directory Server The Windows 2000 Active Directory Server requires Services Pack 4. Limitations of Printer Configurator • The new LDAP printer schema based on IETF is imported into the LDAP Directory Server to create the printer objects.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services Table 1-3 (Continued) groupadd(1M), groupdel(1M), groupmod(1M) These commands do not manage group information in the directory. To change entries in a directory, you can use directory administration tools such as ldapmodify, ldapsearch, ldapdelete and ldapentry.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services which it can use to bind to the directory server. The same is true if Kerberos is used for authentication; libpam_ldap can not be used for security policy enforcement alone.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services networks name service protocols name service rpc name service automount name service aliases name service services name service publickey name service printer configurator pam_authz X.500-style group syntax pam_ldap Trusted Mode Security[5] Standard Mode Security LDAP Command-line Utils.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services 4. pam_kerberos has been integrated with LDAP to fully support Windows domain authentication and should be used instead of pam_ldap. 5. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities stored in the local host are controlled by the local security policy. Identities stored in an LDAP directory are controlled by the LDAP security policy. 6.
LDAP-UX Client Services Release Notes Limitations in LDAP-UX Client Services • User and Group Migration sAMAccountName must be unique across the entire domain. This attribute, used for pre-Windows 2000 clients, is set by the migration scripts to the value of the common name (CN).
LDAP-UX Client Services Release Notes Limitations in NIS/LDAP Gateway Limitations in NIS/LDAP Gateway The following are limitations in this version of the NIS/LDAP Gateway. • Crypt Passwords The NIS/LDAP Gateway product requires that user passwords be stored in the directory server in the same format as stored in an /etc/passwd file. This is known as “Unix Crypt” format. If your directory server does not understand the {crypt} data type, you can still use the NIS/LDAP Gateway server.
LDAP-UX Client Services Release Notes Limitations in NIS/LDAP Gateway 32 Chapter 1
