LDAP-UX Integration B.04.15 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

HP-UX 11i v1, v2 and v3

HP Part Number: J4269-90085

Published: October 2007

Summary of content (29 pages)

PAGE 1
LDAP-UX Integration B.04.
PAGE 2
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents 1 LDAP-UX Integration B.04.15 Release Note.................................................................7 LDAP-UX Integration Overview............................................................................................................7 LDAP-UX Client Services Overview.................................................................................................7 NIS/LDAP Gateway Overview...........................................................................................
PAGE 4
Known Problems and Workarounds...............................................................................................28 Limitations in NIS/LDAP Gateway.................................................................................................
PAGE 5
List of Tables 1-1 1-2 1-3 1-4 1-5 Required HP -UX 11i v1 Patches...................................................................................................12 AutoFS Patch on HP-UX 11i v2 ....................................................................................................13 Enhanced Publickey -LDAP Software for HP-UX 11i v1 or v2.....................................................13 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................
PAGE 6
PAGE 7
1 LDAP-UX Integration B.04.15 Release Note LDAP-UX Integration Overview LDAP-UX Integration product integrate HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. LDAP-UX integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data and account management.
PAGE 8
NIS/LDAP Gateway Overview The NIS/LDAP Gateway Server (NisLdapServer subproduct) software helps HP-UX servers and workstations more closely integrate with an LDAP directory. Specifically this product allows an NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features.
PAGE 9
LDAP-UX Client Services This section of these release notes contains information about LDAP-UX Client services B.04.15. This LDAP-UX Client Services part of this document includes the following information: • • • • • • What’s New in LDAP-UX Client Services Known Problems Fixed in LDAP-UX Client Services Compatibility and Installation Requirements for LDAP-UX Client Services Documentation Known Problems and Workarounds Limitations in LDAP-UX Client Services What’s New in LDAP-UX Client Services B.04.
PAGE 10
man pages, ldapuglist(1M), ldapugadd(1M), ldapcfinfo(1M), ldaugmod(1M) and ldapugdel(1M). • ldapuglist You can use the ldapuglist tool to display and enumerate POSIX-like account and group entries that reside in an LDAP directory server.
PAGE 11
administrator credentials that have sufficient privilege to perform the user or group modify operations in the LDAP directory server. • ldapugdel Use the ldapugdel tool to remove POSIX related user or group entries from an LDAP directory server. The ldapugdel tool can also remove the POSIX related attributes and object classes from user or group entries, without removing the entire entry itself.
PAGE 12
Patch Requirements For 11i v1, HP requires that you install the patch listed in Table 1-1, this table is shown below. For 11i v2 or v3, no patch is required. You may use the following command to determine which patches are installed on your system: /usr/sbin/swlist -l product | grep PH | more See the swlist(1M) man page for more information. Patches can be obtained from the HP Electronic Support Center at: http://us-support.external.hp.com/ -orhttp://europe-support.external.hp.com/.
PAGE 13
The Enhanced AutoFS product can be downloaded from Software Depot and is registered as the "ENHAUTO" product. It can be downloaded from: http://www.hp.com/go/softwaredepot NOTE: If AutoFS support with LDAP is not required in your environment, installation of Enhanced AutoFS B.11.11.0509 is not required.
PAGE 14
Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX 11i v2 For detailed information, refer to the ONC With Publickey LDAP Support Software Pack Release Notes available at http://docs.hp.com. NOTE: If publickey support with LDAP is not required in your environment, installation of the Enhkey software bundle is not required. Kerberos Support on HP-UX 11i v1 or v2 In order to support integration with Active Directory Server, a specific version of the PAM-Kerberos product is required.
PAGE 15
signed the LDAP server’s certificate) from your certificate server as a Base64-Encoded certificate and use the certutilutility to create the cert8.dband key3.db security database files. Use the following steps to create the security database files: 1. 2. Retrieve the Base64-Encoded certificate from the certificate server and save it. Use the rm command to remove the old database files, /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db: rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db 3.
PAGE 16
./setup NOTE: At the end of setup, you will be prompted to start/restart ldapclientd. You can choose not to start it right away. However, you must start the daemon, ldapclientd, for LDAP-UX functions to work. For details on running the setup program, refer to LDAP-UX Client Services B.04.15 Administrator’s Guide. 2. Save a copy of /etc/pam.conf and modify the original file to add /usr/lib/security/libpam_ldap.1 on the HP-UX 11i v1 system or libpam_ldap.so.
PAGE 17
Profile Format Changes The profile format has been changed in the product version B.04.10. If you previously configured LDAP-UX B.04.00 or earlier version using the default profile /etc/opt/ldapux/ldapux_profile.ldif, and now update the product to version B.04.10 or later, the product will automatically update /etc/opt/ldapux/ldapux_profile.bin to the new format. For the following cases, you must manually update the profile format by executing each PROGRAM line after you update the product to version B.04.
PAGE 18
4. 5. Remove the directories /etc/opt/ldapux and /opt/ldapux. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1". This step is required for HP-UX 11i v2 client systems. This step is optional for HP-UX 11i v1 systems. WARNING! If the LDAP-UX product is removed without completing Step 5 on HP-UX 11i v2 system, users will not be able to log onto the system. Follow the following steps to resolve this problem: 1. 2. 3. 18 Reboot the system in the single-user mode.
PAGE 19
Documentation The documentation below is available on the HP-UX Documentation web site at http://docs.hp.com/hpux/internet or where indicated. Table 1-4 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title Description LDAP-UX Client Services B.04.15 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90075) LDAP-UX Client Services B.04.
PAGE 20
Known Problems and Workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server Problem If a password expires, the user cannot log into HP-UX clients. Workaround The administrator will have to reset the password or the user will have to log into the Windows 2000, 2003 or 2003 R2 system to reset password before he can log into HP-UX machines.
PAGE 21
ipHostNumber: 15.13.95.92 cn: machineA cn: hpma01.cup.hp.com Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. • Secondary Group Problem If a user’s secondary group is specified by x.
PAGE 22
On HP-UX 11i v1 and v2, the maximum length of the user or group name can be only eight characters. LDAP Directory Interoperability The LDAP-UX product has been certified under the OpenGroup’s works with LDAP 2000 branding. LDAP-UX has been designed to work with any directory server that can support the RFC 2307 schema or similar syntactic schema (such as the Microsoft Services For Unix 3.0 schema).
PAGE 23
— — — • • • publickey protocols user-defined maps LDAP-UX Client Services using Windows 2000/2003/2003 R2 Active Directory Server does not support netgroup and publickey service data. LDAP-UX Client Services using Windows 2000/2003/2003 R2 Active Directory Server currently supports hosts, protocols, networks, rpc, automount and services in a single domain. It only supports passwd and group service data in multiple domains.
PAGE 24
Table 1-5 Unsupported HP-UX Commands (continued) useradd(1M), userdel(1M), These commands do not manage user information in the directory. usermod(1M) groupadd(1M), groupdel(1M), These commands do not manage group information in the directory. groupmod(1M) To change entries in a directory, you can use directory administration tools such as ldapmodify, ldapsearch, ldapdelete and ldapentry.
PAGE 25
command shows an example of how to download the profile manually. If your profile changes frequently, you may wish to place this in a script that is called periodically by cron. /opt/ldapux/config/get_profile_entry -s NSS -D \ "
PAGE 26
3. 4. 5. 6. 7. netgroups may not be stored in ADS. pam_kerberos has been integrated with LDAP to fully support Windows domain authentication and should be used instead of pam_ldap. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities stored in the local host are controlled by the local security policy. Identities stored in an LDAP directory are controlled by the LDAP security policy. NSS refers to the Name Service Subsystem, such as passwd, group, etc...
PAGE 27
NIS/LDAP Gateway This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory).
PAGE 28
• • • If you have already configured other NIS/LDAP Gateway servers on other systems, you can simply duplicate the configuration file /opt/ldapux/ypldapd/etc/ypldapd.conf on the local system. Otherwise, edit the file /opt/ldapux/ypldapd/etc/ypldapd.conf and add the appropriate values according to the descriptions in the file. Minimally you will need to update the ypdomain, ldaphost, basedn, binddn and bindcred parameters.
PAGE 29
Limitations in NIS/LDAP Gateway The following are limitations in this version of the NIS/LDAP Gateway. • Crypt Passwords The NIS/LDAP Gateway product requires that user passwords be stored in the directory server in the same format as stored in an /etc/passwd file. This is known as “Unix Crypt” format. If your directory server does not understand the {crypt} data type, you can still use the NIS/LDAP Gateway server. However, these users will not be able to authenticate to the directory server.