LDAP-UX Integration B.04.17 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

HP-UX 11i v1, v2 and v3

HP Part Number: J4269-90089

Published: April 2008

Summary of content (27 pages)

PAGE 1
LDAP-UX Integration B.04.
PAGE 2
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Table of Contents 1 LDAP-UX Integration B.04.17 Release Note.................................................................7 LDAP-UX Integration Overview............................................................................................................7 LDAP-UX Client Services Overview.................................................................................................7 NIS/LDAP Gateway Overview...........................................................................................
PAGE 4
Known Problems and Workarounds...............................................................................................26 Limitations in NIS/LDAP Gateway.................................................................................................
PAGE 5
List of Tables 1-1 1-2 1-3 1-4 1-5 Required HP -UX 11i v1 Patches...................................................................................................10 AutoFS Patch on HP-UX 11i v2 ....................................................................................................11 Enhanced Publickey -LDAP Software for HP-UX 11i v1 or v2.....................................................11 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................
PAGE 6
PAGE 7
1 LDAP-UX Integration B.04.17 Release Note LDAP-UX Integration Overview The LDAP-UX Integration product integrates HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. LDAP-UX Integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data and account management.
PAGE 8
NIS/LDAP Gateway Overview The NIS/LDAP Gateway Server (NisLdapServer subproduct) software helps HP-UX servers and workstations more closely integrate with an LDAP directory. Specifically this product allows an NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features.
PAGE 9
LDAP-UX Client Services This section contains the following information about LDAP-UX Client services B.04.17: • • • • • Known Problems Fixed in LDAP-UX Client Services B.04.17 Compatibility and Installation Requirements for LDAP-UX Client Services Documentation Known Problems and Workarounds Limitations in LDAP-UX Client Services Known Problems Fixed in LDAP-UX Client Services B.04.
PAGE 10
See the swlist(1M) man page for more information. Patches can be obtained from the HP Electronic Support Center at: http://us-support.external.hp.com/ -orhttp://europe-support.external.hp.com/. If these patches are not available, contact your HP support representative for the latest versions. A patch number can be superseded at any time.
PAGE 11
NOTE: If AutoFS support with LDAP is not required in your environment, installation of Enhanced AutoFS B.11.11.0509 is not required. AutoFS with LDAP Support on HP-UX 11i v2 In order to support automount feature in LDAP on HP-UX 11i v2, you must install the patch shown in Table 1-2: Table 1-2 AutoFS Patch on HP-UX 11i v2 Patch Number Platform Automatic Reboot? Description PHNE_33100 Workstation/Server yes ONC AutoFS LDAP support patch.
PAGE 12
Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX 11i v2 For detailed information, refer to the ONC With Publickey LDAP Support Software Pack Release Notes available at http://docs.hp.com. NOTE: If publickey support with LDAP is not required in your environment, installation of the Enhkey software bundle is not required. Kerberos Support on HP-UX 11i v1 or v2 In order to support integration with Active Directory Server, a specific version of the PAM-Kerberos product is required.
PAGE 13
signed the LDAP server’s certificate) from your certificate server as a Base64-Encoded certificate and use the certutilutility to create the cert8.dband key3.db security database files. Use the following steps to create the security database files: 1. 2. Retrieve the Base64-Encoded certificate from the certificate server and save it. Use the rm command to remove the old database files, /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db: rm -f /etc/opt/ldapux/cert8.db /etc/opt/ldapux/key3.db 3.
PAGE 14
1. When your LDAP directory is configured and contains your name service data, you can run the setup program and follow the prompts to configure your client: cd /opt/ldapux/config ./setup NOTE: At the end of setup, you will be prompted to start/restart ldapclientd. You can choose not to start it right away. However, you must start the daemon, ldapclientd, for LDAP-UX functions to work. For details on running the setup program, refer to LDAP-UX Client Services B.04.15 Administrator’s Guide. 2.
PAGE 15
LDAP-UX Client Services will also use SFU 3.0/3.5 in the absence of the softlink /etc/opt/ldapux/defualt_profile_attr_ads.ldif. Profile Format Changes The profile format has been changed in the product version B.04.10. If you previously configured LDAP-UX B.04.00 or earlier version using the default profile /etc/opt/ldapux/ldapux_profile.ldif, and now update the product to version B.04.10 or later, the product will automatically update /etc/opt/ldapux/ldapux_profile.bin to the new format.
PAGE 16
5. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1". This step is required for HP-UX 11i v2 client systems. This step is optional for HP-UX 11i v1 systems. WARNING! If the LDAP-UX product is removed without completing Step 5 on HP-UX 11i v2 system, users will not be able to log onto the system. Follow the following steps to resolve this problem: 1. 2. 3. 16 Reboot the system in the single-user mode. Execute the “mountall” command to mount the file system.
PAGE 17
Documentation The documentation below is available on the HP-UX Documentation web site at http://docs.hp.com/hpux/internet or where indicated. Table 1-4 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title Description LDAP-UX Client Services B.04.15 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90083) LDAP-UX Client Services B.04.
PAGE 18
Known Problems and Workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server Problem If a password expires, the user cannot log into HP-UX clients. Workaround The administrator will have to reset the password or the user will have to log into the Windows 2000, 2003 or 2003 R2 system to reset password before he can log into HP-UX machines.
PAGE 19
ipHostNumber: 15.13.95.92 cn: machineA cn: hpma01.cup.hp.com Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. • Secondary Group Problem If a user’s secondary group is specified by x.
PAGE 20
LDAP Directory Interoperability The LDAP-UX product has been certified under the OpenGroup’s works with LDAP 2000 branding. LDAP-UX has been designed to work with any directory server that can support the RFC 2307 schema or similar syntactic schema (such as the Microsoft Services For Unix 3.0 schema). The LDAP-UX product requires the "Configuration Profile" schema, which is defined at the IETF drafts web site http://www.ietf.org/ID.html. This draft is currently published as draft-joslin-config-schema-07.
PAGE 21
— — • • • protocols user-defined maps LDAP-UX Client Services using Windows 2000/2003/2003 R2 Active Directory Server does not support netgroup and publickey service data. LDAP-UX Client Services using Windows 2000/2003/2003 R2 Active Directory Server currently supports hosts, protocols, networks, rpc, automount and services in a single domain. It only supports passwd and group service data in multiple domains.
PAGE 22
You can use the LDAP User and Group command-line tools, ldapugadd, ldapugdel and ldapugmod, to manage the user and group entries in your LDAP directory server. The syntax for the LDAP tools is similar to the unsupported HP-UX tools, such as useradd, userdel, usermod,..etc. For more information about tool usage, syntax, options and environment variables supported by the LDAP tools, refer to the man pages, ldapugadd(1M), ldapugdel(1M) and ldapugmod(1M).
PAGE 23
Changing authentication methods If you wish to switch from your current authentication method, such as SIMPLE or SASL/DIGEST-MD5 to SASL/GSSAPI, TLS:SIMPLE or TLS:SASL/DIGEST-MD5, you must restart the ldapclientd daemon after making the configuration changes. This step is required to assure that the proper GSS API, Kereros and/or SSL initialization is completed.
PAGE 24
6. 7. NSS refers to the Name Service Subsystem, such as passwd, group, etc... For more information, refer to the nsswitch.conf(4) man page. PAM refers to the Pluggable Authentication Module subsystem. For more information, refer to the pam(3) man page. Additional Limitations with Active Directory • ldapentry Not Certified for Active Directory ldapentry, a new client administration tool to simplify adding, modifying, and deleting database entries is not certified for use with Active Directory.
PAGE 25
NIS/LDAP Gateway This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory).
PAGE 26
• • • If you have already configured other NIS/LDAP Gateway servers on other systems, you can simply duplicate the configuration file /opt/ldapux/ypldapd/etc/ypldapd.conf on the local system. Otherwise, edit the file /opt/ldapux/ypldapd/etc/ypldapd.conf and add the appropriate values according to the descriptions in the file. Minimally you will need to update the ypdomain, ldaphost, basedn, binddn and bindcred parameters.
PAGE 27
format. If your directory server does not understand the {crypt} data type, you can still use the NIS/LDAP Gateway server. However, these users will not be able to authenticate to the directory server. One side effect is that users will not be able to change their own passwords (although a directory administrator could accomplish this on a user’s behalf.) Also, other LDAP enabled applications may not work correctly.