LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
7.2.2.4 Limitations
• The authck -d command removes the /tcb/files/auth/... files created for LDAP-based
accounts. When the LDAP-based account logs into the system again, a new /tcb/files/
auth/... file with new audit ID is recreated. Therfore, it is not recommended to run the
authck -d command when you configure LDAP-UX with Trusted Mode.
• You cannot use the Trusted Mode management subsystem in SAM to manage LDAP-based
accounts.
• The LDAP repository and /etc/passwd repository must not contain accounts with the same
login name or account number.
• Except for the audit flag, you cannot modify other Trusted Mode properties/policies for
LDAP-based accounts. For example, attempting to lock an LDAP-based account by modifying
the Trusted Mode field for that user does not prevent that account from logging in to the host.
Instead, you must disable the account on the LDAP server itself. No runtime warning will be
given that the local locking of the account has no effect. It is important that all system
administrators are properly trained, so that administrative locks on accounts have the desired
effect.
7.2.3 Configuration parameter
LDAP-UX Client Services provides one configuration parameter, initial_ts_auditing, available
for you to configure the initial auditing setting for the LDAP-based account. This parameter is defined
in the /etc/opt/ldapux/ldapux_client.conf file.
7.3 Configuring SASL/GSSAPI support for proxy user authentication
(Windows ADS only)
LDAP-UX Client Services supports the SASL / Generic Security Services Application Programming
Interface (GSSAPI) authentication method for Kerberos v5. Currently, Kerberos v5 is the only security
mechanism that is implemented to work with GSSAPI. LDAP-UX Client Services 5.0 provides
SASL/GSSAPI authentication method support for Microsoft Windows 2003 R2 and 2008 Active
Directory only. SASL/GSSAPI authentication is limited to proxy user authentication for the name
service subsystem. Host, service or other principals may be used for the LDAP-UX proxy identity.
Because SASL/GSSAPI is only used for proxy authentication, user authentication to a Windows
domain should still be configured using PAM_KERBEROS.
For information on the realm, principal, keytab, and credential cache definitions used by the
SASL/GSSAPI authentication, refer to Configuration Guide For Kerberos Product on HP-UX and
Installing, Configuring and Administering The Kerberos Server on HP-UX 11i at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
NOTE: For HP-UX 11i v2 (11.23) and v3 (11.31), do not use the default Kerberos product that
is installed with your OS. Instead, download and use the latest version of Kerberos (KRB5CLIENT)
from the HP Software Depot at:
https://h20392.www2.hp.com/portal/swdepot/
displayProductInfo.do?productNumber=KRB5CLIENT
For information about version support and required patches, see the section titled “Kerberos support
on HP-UX 11i v2 or v3” in the LDAP-UX Integration Release Notes.
For more information, see the Kerberos Client Release Notes available at:
http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software)
For an overview of the various authentication methods you can configure with LDAP-UX Client
Services, including their strengths and weaknesses, see Section 2.4.6.1 (page 79).
196 Administering LDAP-UX Client Services