LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
This feature is not supported when using LDAP-UX Client Services with Windows ADS.
• Local-only profile support
The centrally managed LDAP-UX configuration profile uses a schema defined by RFC 4876.
For environments where modification of the directory server schema is not allowed and new
schema cannot be installed, the local-only profile enables LDAP-UX to manage configuration
on the local hosts instead of the directory server. You must use the -l option with the
customized setup program to obtain this feature.
• User group management tools enhancements
The user and group management tools are enhanced to provide the following:
◦ The DN of the current user as a default when prompting for a DN before binding to the
directory server.
◦ The ability to change or reset a user's ADS password if SSL has been configured. This
includes the ability of an administrator to reset a user's password.
• pam_authz enhancements
The following pam_authz is enhancements have been made:
◦ pam_authz now allows granular access control policies to be applied to individual PAM
services (such as ftp, telnet, ssh, imapd, and so forth). Different policies can be applied
to each service.
◦ pam_authz now supports a new action for rules. In addition to allow or deny, the
required rule means that rule must pass and remaining rules must also be processed.
◦ Previously, pam_authz supported two modes, the netgroup mode, where netgroups
were specified in the /etc/passwd file, or the pam_authz.policy mode, where rules
were defined in the pam_authz.policy file. Those two modes were mutually exclusive.
A new condition rule in the pam_authz.policy file now allows both modes.
• LDAP host management tools
LDAP-UX Integration B.05.00 supports two new LDAP command-line tools, ldaphostmgr
and ldaphostlist, that enable you to manage information about hosts in the directory
server, including ssh public keys. Using HP Secure Shell version 5.5 or later, LDAP-UX ssh key
management can preestablish trust between hosts.
◦ ldaphostmgr
Use the ldaphostmgr tool to add, modify, or delete information about hosts (OS
instances) that are part of the organization. The ldaphostmgr tool uses the existing
LDAP-UX configuration, requiring only a minimal number of command-line options to
discover where to search for host information, such as what directory servers to contact
and proper search filters for finding hosts. It also uses the existing LDAP-UX authentication
configuration to determine how to bind to the LDAP directory server. ldaphostmgr can
be used to centrally manage ssh public keys for hosts, and supports attribute-mapping
for attributes defined by the ipHost object class. Additional attributes used in a host entry
(such as owner, entityRole, and so on) are not mapped.
◦ ldaphostlist
Use the ldaphostlist tool to display and enumerate host entries that reside in an LDAP
directory server. Although ldaphostlist provides output similar to the ldapsearch
command, it satisfies a few specific feature requirements that enable applications to
discover and evaluate hosts stored in an LDAP directory server without requiring intimate
knowledge of the methods used to retrieve and evaluate that information in the LDAP
directory server. In addition, ldaphostlist can be used to discover expiration
information about ssh host keys if that information is managed in the directory server.
400 Support and other resources