LDAP-UX Integration B.04.10 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

Table Of Contents

HP-UX 11i v1, v2 and v3

HP Part Number: J4269-90070

Published: E0207

Summary of content (30 pages)

PAGE 1
LDAP-UX Integration B.04.
PAGE 2
© Copyright 2007 Hewlett-Packard Company Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
PAGE 3
Table of Contents 1 LDAP-UX Integration B.04.10 Release Note.................................................................7 LDAP-UX Integration Overview............................................................................................................7 LDAP-UX Client Services Overview.................................................................................................7 NIS/LDAP Gateway Overview...........................................................................................
PAGE 4
Known Problems and Workarounds...............................................................................................29 Limitations in NIS/LDAP Gateway.................................................................................................
PAGE 5
List of Tables 1-1 1-2 1-3 1-4 1-5 Required HP -UX 11i v1 Patches...................................................................................................13 AutoFS Patch on HP-UX 11i v2 ....................................................................................................14 Enhanced Publickey -LDAP Software for HP-UX 11i v1 or v2.....................................................14 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................
PAGE 6
PAGE 7
1 LDAP-UX Integration B.04.10 Release Note LDAP-UX Integration Overview LDAP-UX Integration product integrate HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. Client systems get name service data from an LDAP directory as well as from /etc/passwd and /etc/group files and other name services.
PAGE 8
NIS/LDAP Gateway Overview The NIS/LDAP Gateway Server (NisLdapServer subproduct) software helps HP-UX servers and workstations more closely integrate with an LDAP directory. Specifically this product allows an NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features.
PAGE 9
LDAP-UX Client Services supports dynamic groups and allows you to configure dynamic groups from the following directory servers and identity management: — — — Netscape/Red Hat Directory Server Windows 2003 and 2003 R2 Active Directory Server HP Select Access and HP-UX Select Access for IdMI To improve performance of dynamic groups, the ldapclient daemon,ldapclientd, caches dynamic group members to reduce the LDAP-UX client response time while retrieving dynamic group information.
PAGE 10
used to query the current status of the LDAP schema on the LDAP directory server, as well as to extend the LDAP directory server schema with new attribute types and object classes. The ldapschema utility was designed to support directory servers from several vendors and is currently supported with Netscape/Red Hat Directory Serve and Microsoft Windows 2000, 2003 and 2003 R2 Active Directory Server.
PAGE 11
• Microsoft Windows 2003 Release 2 (R2) Active Directory Server (ADS) Certification In this release, LDAP-UX has been enhanced to support Microsoft Windows 2003 Release 2 Active Directory Server. Windows 2003 R2 ADS provides the R2’s RFC2307 schema which is compliant with the IETF RFC2307 standard.
PAGE 12
• Defect Number JAGaf79435 ldapclientd indefinitely waits for a response from the LDAP server. After submitting a request to the LDAP server, ldapclientd loops if the LDAP server cannot respond to that request due to a heavy load on the server, a system hang, a network outrage, etc.
PAGE 13
-orhttp://europe-support.external.hp.com/. If these patches are not available, contact your HP support representative for the latest versions. A patch number can be superseded at any time. The following patch numbers were current as of December, 2006: Table 1-1 Required HP -UX 11i v1 Patches Patch Number Platform Automatic Reboot? Description PHCO_30913 Workstation/Server no libsec cumulative patch.
PAGE 14
Table 1-2 AutoFS Patch on HP-UX 11i v2 Patch Number Platform Automatic Reboot? Description PHNE_33100 Workstation/Server yes ONC AutoFS LDAP support patch. NOTE: If AutoFS support with LDAP is not required in your environment, installation of PHNE_33100 is not required.
PAGE 15
NOTE: If publickey support with LDAP is not required in your environment, installation of the Enhkey software bundle is not required. Kerberos Support on HP-UX 11i v1 or v2 In order to support integration with Active Directory Server, a specific version of the PAM-Kerberos product is required. On HP-UX 11i v1, version 1.11 or later of the PAM-Kerberos product is required. On HP-UX 11i v2, version 1.23 or later of the PAM-Kerberos product is required.
PAGE 16
1. 2. Retrieve the Base64-Encoded certificate from the certificate server and save it. Use the rm command to remove the old database files, /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db: rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db 3. Use the certutil utility with the -N option to initialize a new database: /opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux 4.
PAGE 17
NOTE: At the end of setup, you will be prompted to start/restart ldapclientd. You can choose not to start it right away. However, you must start the daemon, ldapclientd, for LDAP-UX functions to work. For details on running the setup program, refer to LDAP-UX Client Services B.04.10 Administrator’s Guide. 2. Save a copy of /etc/pam.conf and modify the original file to add /usr/lib/security/libpam_ldap.1 on the HP-UX 11i v1 system or libpam_ldap.so.1 on the HP-UX 11i v2 system where it is appropriate.
PAGE 18
Profile Format Changes The profile format has been changed in the product version B.04.10. If you previously configured LDA-UX B.04.00 or eariler version using the default profile /etc/opt/ldapux/ldapux_profile.ldif, and now update the product to version B.04.10, the product will automatically update /etc/opt/ldapux/ldapux_profile.bin to the new format. For the following cases, you must manually update the profile format by executing each PROGRAM line after you update the product to version B.04.
PAGE 19
4. 5. Remove the directories /etc/opt/ldapux and /opt/ldapux. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1". This step is required for HP-UX 11i v2 client systems. This step is optional for HP-UX 11i v1 systems. WARNING! If the LDAP-UX product is removed without completing Step 5 on HP-UX 11i v2 system, users will not be able to log onto the system. Follow the following steps to resolve this problem: 1. 2. 3. Reboot the system in the single-user mode.
PAGE 20
Documentation The documentation below is available on the HP-UX Documentation web site at http://docs.hp.com/hpux/internet or where indicated. Table 1-4 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title Description LDAP-UX Client Services B.04.10 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90067) LDAP-UX Client Services B.04.
PAGE 21
Known Problems and Workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server Problem If a password expires, the user cannot log into HP-UX clients. Workaround The administrator will have to reset the password or the user will have to log into the Windows 2000, 2003 or 2003 R2 system to reset password before he can log into HP-UX machines.
PAGE 22
ipHostNumber: 15.13.95.92 cn: machineA cn: hpma01.cup.hp.com Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. • Secondary Group Problem If a user’s secondary group is specified by x.
PAGE 23
This draft is currently published as draft-joslin-config-schema-07.txt (which will likely be replaced by a future draft revision or RFC). The "Configuration Profile" schema will be automatically installed on directory servers that support online modification of the subschema subentry. The following list of directories have been tested or minimally verified. • • • Netscape Directory Server 6.11/6.21 and Red Hat Directory Server 7.0/7.
PAGE 24
Duplicated Data Entries in ADS Multiple Domains To better integrate with HP-UX, it is highly recommended that you maintain unique user names and uid numbers in the forest, or undesired behaviors may occur.
PAGE 25
You can alternately use secure encrypted transport through the IPSec/9000 product for stronger security. See the IPSec/9000 documentation at: http://docs.hp.com/hpux/communications/. Man page for ldapclientd.conf Limitations in the man command require specifying the section number as man 4 ldapclientd.conf to view the man page for ldapclientd.conf.
PAGE 26
protocols name service rpc name service automount name service aliases name service services name service publickey name service printer configurator pam_authz X.500-style group syntax pam_ldap Trusted Mode Security[5] Standard Mode Security LDAP Command-line Utils. ldapentry editor tool NIS Migration Tools NIS+ Migration Tools Multiple Domains NIS/LDAP Gateway Authentication Methods Simple Password SASL/DIGEST-MD5 SASL/GSSAPI SSL Server Certs. SSL Client Certs. Caching passwd group netgroup X.
PAGE 27
• Posix Password Support Posix password (defined as userPassword in RFC 2307, and msSFUPassword in SFU 2.0) is not certified. • User and Group Migration sAMAccountName must be unique across the entire domain. This attribute, used for pre-Windows 2000 clients, is set by the migration scripts to the value of the common name (CN).
PAGE 28
• Defect Number JAGag19118 /opt/ldapux/ypldapd/etc/namingcontexts.confmaps group* incorrectly. • Defect Number JAGag19120 /The etc/rc.config.d/ypldapd file comments incorrect ypldapd.conf file location. migrate_automount_forypldapd.pl Script A migration script migrate_automount_forypldapd.pl is provided to support the automount map Compatibility and Installation Requirements for NIS/LDAP Gateway This section provides basic instructions for installing the NIS/LDAP Gateway.
PAGE 29
• preload_maps group.bynam. The user you identify in the binddn must be an LDAP directory user that is allowed to read the userPassword attribute. If the NIS domain you use is the same as the domain being used by an existing NIS server, you must stop and disable the NIS server. You can do this by executing the command /sbin/init.d/nis.server stop to stop the NIS server. Then change NIS_SLAVE_SERVER and NIS_MASTER_SERVER to 0 in the file /etc/rc.config.d/namesvrs.
PAGE 30
(although a directory administrator could accomplish this on a user’s behalf.) Also, other LDAP enabled applications may not work correctly. • Modifying Data in the Directory You cannot use the chfn(1) and chsh(1) and passwd(1) commands to modify data in the directory. • NIS and NIS/LDAP Gateway You cannot run an NIS server (ypserv) and an NIS/LDAP Gateway server (ypldapd) simultaneously on the same system.