LDAP-UX Integration B.04.10 Release Notes

Table Of Contents

You can alternately use secure encrypted transport through the IPSec/9000 product for stronger

security. See the IPSec/9000 documentation at: http://docs.hp.com/hpux/communications/.

Man page for ldapclientd.conf

Limitations in the man command require specifying the section number as man 4

ldapclientd.conf to view the man page for ldapclientd.conf.

LDAP Security Policy Enforcement

With LDAP directory servers that support security policies (such as account or password

expiration), it is possible for HP-UX logins to adhere to these polices.The design of the LDAP

protocol enforces both authentication and security polices in the same operation (ldap_bind).

The design of the PAM subsystem separates authentication and security policy enforcement into

two separate APIs, as configured under the "auth" and "account" portions of the /etc/pam.conf

file. Because of these design differences, administrators need to be aware that it’s not possible

to use libpam_ldap for either just authentication or just security policy enforcement. For

example, it is not possible to use ssh publickeys for authentication, and then use libpam_ldap

for account policy enforcement, since libpam_ldap does not have a password with which it

can use to bind to the directory server. The same is true if Kerberos is used for authentication;

libpam_ldap can not be used for security policy enforcement alone.

Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account and

password security policy enforcement without requiring LDAP-based authentication. This feature

supports applications, SSH (Secure Shell) or r-commands with .rhost enabled where authentication

is performed by the command itself.

SASL/GSSAPI Profile Download Support

The current release of LDAP-UX does not support downloading of the LDAP-UX profile

automatically, when used with SASL/GSSAPI authentication, and that authentication uses a host

or service principal, where that principal’s key is stored in a Kerberos keytab file.This limitation

impacts the ability of the LDAP-UX product to support the "profile time to live" feature, which

automatically will re-download a profile after it’s profileTTL time period has expired.

In this situation, profiles can still be downloaded manually using the get_profile_entry

command, as long as a principal and password provided on the command line.The following

command shows an example of how to download the profile manually. If your profile changes

frequently, you may wish to place this in a script that is called periodically by cron.

/opt/ldapux/config/get_profile_entry -s NSS -D \

"<administrator@my.domain.org>" -w "<adminpassword>"

Changing authentication methods

If you wish to switch from your current authentication method, such as SIMPLE or

SASL/DIGEST-MD5 to SASL/GSSAPI, TLS:SIMPLE or TLS:SASL/DIGEST-MD5, you must restart

the ldapclientd daemon after making the configuration changes. This step is required to assure

that the proper GSS API, Kereros and/or SSL initialization is completed.

Supported Features For Particular Directory Servers

The following shows the supported fearures for particular directory servers:

Feature Netscape/Red Hat Microsoft ADS