LDAP-UX Integration B.04.10 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

Table Of Contents

LDAP-UX Client Services supports dynamic groups and allows you to configure dynamic

groups from the following directory servers and identity management:

— Netscape/Red Hat Directory Server

— Windows 2003 and 2003 R2 Active Directory Server

— HP Select Access and HP-UX Select Access for IdMI

To improve performance of dynamic groups, the ldapclient daemon,ldapclientd, caches

dynamic group members to reduce the LDAP-UX client response time while retrieving

dynamic group information. This cache is maintained in an independent memory space not

shared with the cache for other service data.

Refer to the “Dynamic Group Support” chapter in the LDAP-UX Client Services B.04.10

Administrator’s Guide or LDAP-UX Client Services B.04.10 with Windows Active Directory Server

Administrator’s Guide” for detailed information.

• PAM_AUTHZ Enhancements

This release provides the following enhancements to PAM-AUTHZ:

— With this release, PAM_AUTHZ independently supports LDAP account and password

security policy enforcement without requiring LDAP-based authentication. This feature

supports applications, SSH (Secure Shell) or r-commands with rhost enabled where

authentication is performed by the command itself. PAM_AUTHZ can be used to

examine account and password policies stored in an LDAP directory server to verify if

the user should still be allowed to login to the system or verify if passwords have expired

or reset.

— PAM_AUTHZ provides dynamic variable support for the ldap_filter type of the

access rule in the /etc/opt/ldapux/pam_authz.policy file. The LDAP search

filter defined in the <object> field can consist of one or more

(attribute=$[variable_name]) pairs to specify dynamic variables.

— This releases introduces a new PAM_AUTHZ access rule, unix_local_user. This

access rule allows an administrator to control the login access by examining a local

user’s login name with a list of user accounts in the /etc/passwd file.

— PAM_AUTHZ can return specific PAM error codes as configured in the

pam_authz.policy file. For example, if the pam_authz policy rule indicates that an

account has been locked out or a password has expired, PAM_AUTHZ can return an

appropriate PAM error code instead of a general allow or deny status code.

Refer to the LDAP-UX Client Services B.04.10 Administrator’s Guide or LDAP-UX Client Services

B.04.10 with Windows Active Directory Server Administrator’s Guide” for detailed information.

• TLS Support

This release of LDAP-UX Client Services supports a new extension operation of TLS

(Transport Level Security) protocol called startTLS to secure communication between

LDAP clients and the LDAP directory server. You can utilize the StartTLS operation to set

the secure connection over a regular (an un-encrypted) LDAP port, such as port 389.

The enable_starttls integer variable defined in the

/etc/opt/ldapux/ldapux_client.conf file controls whether the TLS feature is enabled

or disabled. By default, TLS is disabled.

Refer to the “TLS support” section in the LDAP-UX Client Services B.04.10 Administrator’s

Guide or LDAP-UX Client Services B.04.10 with Windows Active Directory Server Administrator’s

Guide” for detailed information on how to use TLS.

• Schema Extension Utility

This release provides a new schema extension utility, ldapschema. This utility allows

schema developers to define LDAP schemas using a universal XML syntax, greatly

simplifying the ability to support different directory server variations. ldapschema can be

LDAP-UX Client Services 9