LDAP-UX Integration B.04.15 Release Notes
Table 1-5 Unsupported HP-UX Commands (continued)
These commands do not manage user information in the
directory.
useradd(1M),
userdel(1M),
usermod(1M)
These commands do not manage group information in
the directory.
groupadd(1M),
groupdel(1M),
groupmod(1M)
To change entries in a directory, you can use directory administration tools such as ldapmodify,
ldapsearch, ldapdelete and ldapentry.
Clear Text Passwords
login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over the
network unless SSL or SASL Digest-MD5 authentication is enabled with setup. However, SASL
DIGEST-MD5 may pose a security risk as the Directory Server may store the password in clear
text.
(NOTE: By default, SSL and SASL DIGEST-MD5 authentication is disabled)
You can alternately use secure encrypted transport through the IPSec/9000 product for stronger
security. See the IPSec/9000 documentation at: http://docs.hp.com/hpux/communications/.
Man page for ldapclientd.conf
Limitations in the man command require specifying the section number as man 4
ldapclientd.conf to view the man page for ldapclientd.conf.
LDAP Security Policy Enforcement
With LDAP directory servers that support security policies (such as account or password
expiration), it is possible for HP-UX logins to adhere to these polices.The design of the LDAP
protocol enforces both authentication and security polices in the same operation (ldap_bind).
The design of the PAM subsystem separates authentication and security policy enforcement into
two separate APIs, as configured under the "auth" and "account" portions of the /etc/pam.conf
file. Because of these design differences, administrators need to be aware that it’s not possible
to use libpam_ldap for either just authentication or just security policy enforcement. For
example, it is not possible to use ssh publickeys for authentication, and then use libpam_ldap
for account policy enforcement, since libpam_ldap does not have a password with which it
can use to bind to the directory server. The same is true if Kerberos is used for authentication;
libpam_ldap can not be used for security policy enforcement alone.
Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account and
password security policy enforcement without requiring LDAP-based authentication. This feature
supports applications, SSH (Secure Shell) or r-commands with .rhost enabled where authentication
is performed by the command itself.
SASL/GSSAPI Profile Download Support
The current release of LDAP-UX does not support downloading of the LDAP-UX profile
automatically, when used with SASL/GSSAPI authentication, and that authentication uses a host
or service principal, where that principal’s key is stored in a Kerberos keytab file.This limitation
impacts the ability of the LDAP-UX product to support the "profile time to live" feature, which
automatically will re-download a profile after it’s profileTTL time period has expired.
In this situation, profiles can still be downloaded manually using the get_profile_entry
command, as long as a principal and password provided on the command line.The following
24 LDAP-UX Integration B.04.15 Release Note