LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
• compat mode performance enhancement
For organizations that rely on the legacy netgroup /etc/passwd filtering, the compat mode
performance enhancement significantly improves performance when numerous and large
netgroups are used in the /etc/passwd file for controlling passwd fields.
• Local-only profile support
The centrally managed LDAP-UX configuration profile uses a schema defined by RFC 4876.
For environments where modification of the directory server schema is not allowed and new
schema cannot be installed, the local-only profile allows LDAP-UX to manage configuration
on the local hosts instead of the directory server. You need to use the -l option with the
customized setup program to obtain this feature.
• User Group Management Tools Enhancements
The user and group management tools are enhanced to provide the following:
◦ The DN of the current user as a default when prompting for a DN before binding to the
directory server.
◦ The ability to change or reset a user's ADS password if SSL has been configured. This
includes the ability of an administrator to reset a user's password.
• pam_authz Enhancements
The following pam_authz is enhancements have been made:
◦ pam_authz now allows granular access control policies to be applied to individual PAM
services (such as ftp, telnet, ssh, imapd, and so forth). Different policies can be applied
to each service.
◦ pam_authz now supports a new action for rules. In addition to allow or deny, the
required rule means that rule must pass and remaining rules must also be processed.
◦ Previously, pam_authz supported two modes, the netgroup mode, where netgroups
were specified in the /etc/passwd file, or the pam_authz.policy mode, where rules
were defined in the pam_authz.policy file. Those two modes were mutually exclusive.
A new condition rule in the pam_authz.policy file now allows both modes.
• LDAP Host management tools
LDAP-UX Integration B.05.00 supports two new LDAP command-line tools, ldaphostmgr
and ldaphostlist, that allow you to manage information about hosts in the directory server,
including ssh public keys. Using HP Secure Shell version 5.5 or higher, LDAP-UX ssh key
management can pre-establish trust between hosts.
◦ ldaphostmgr
Use the ldaphostmgr tool to add, modify, or delete information about hosts (OS
instances) that are part of the organization. The ldaphostmgr tool uses the existing
ldapux(5) configuration, requiring only a minimal number of command-line options to
discover where to search for host information, such as what directory server(s) to contact
and proper search filters for finding hosts. It also uses the existing ldapux(5)
authentication configuration to determine how to bind to the directory server.
ldaphostmgr can be used to centrally manage ssh public keys for hosts, and supports
attribute-mapping for attributes defined by the ipHost objectclass. Additional attributes
used in a host entry (such as owner, entityRole, and so on) are not mapped.
◦ ldaphostlist
Use the ldaphostlist tool to display and enumerate host entries that reside in an
LDAP-based directory server. Although ldaphostlist provides output similar to the
142 Support and other resources