LDAP-UX Integration B.04.
© Copyright 2001–2010 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Publication History.............................................................................................................7 1 LDAP-UX Integration Overview......................................................................................9 2 New in LDAP-UX Integration B.04.20........................................................................11 3 LDAP-UX Client Services..............................................................................................13 3.
NIS/LDAP Gateway ...................................................................................................35 4.1 NIS/LDAP Gateway Overview.......................................................................................................35 4.2 LDAP Client Administration Tools Overview................................................................................35 4.3 Compatibility and Installation Requirements for NIS/LDAP Gateway.........................................35 4.3.
List of Tables 3-1 3-2 3-3 3-4 Required HP -UX 11i v1 Patches...................................................................................................16 AutoFS Patch on HP-UX 11i v2 ....................................................................................................17 Enhanced Publickey -LDAP Software for HP-UX 11i v1 or v2.....................................................17 Unsupported HP-UX Commands..............................................................................
Publication History The document publication date and part number indicate its current edition. The publication date will change when a new edition is released. To ensure that you receive the new editions, you should subscribe to the appropriate product support service. Contact your HP sales representative for details. You can find the various versions of this document at: http://docs.hp.com April 2010 Part Number 5900-0822 Added note advising of the impact that the LDAP SDK update to Mozilla version 6.0.
1 LDAP-UX Integration Overview The LDAP-UX Integration for HP-UX product uses the Lightweight Directory Access Protocol (LDAP) to centralize HP-UX user, group, and network information management in an LDAP directory. LDAP-UX Integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data and account management.
2 New in LDAP-UX Integration B.04.20 LDAP-UX Integration B.04.20 offers the following new features: • Windows 2008: Supports Active Directory Server for Windows 2008 • IBM TDS: Supports IBM Tivoli Directory Server v6.2 • Larger NGROUPS: As part of the effort to increase the NGROUPS limit, HP-UX now includes a new kernel tunable, ngroups_max, that specifies the maximum number of supplementary groups that can be associated with a user or process.
3 LDAP-UX Client Services This section contains the following information about LDAP-UX Client services B.04.20: • • • • • • • LDAP-UX Client Services Overview Known Problems Fixed in LDAP-UX Client Services B.04.20 Compatibility and Installation Requirements for LDAP-UX Client Services Installing and Configuring the LDAP-UX Client Services Documentation Known Problems and Workarounds for LDAP-UX Client Services Limitations in LDAP-UX Client Services — Limitations with IBM Tivoli Directory Server v6.2 3.
• Defect Number QXCR1000573975 LDAP-UX would not properly display group membership in ADS if member DNs had a comma in the RDN • Defect Number QXCR1000579039 Added support for attribute mapping for msSFU30PosixMember. • Defect Number QXCR1000593307 ypcat would not always return all groups when using ypldapd. • Defect Number QXCR1000570696 Some pam-enabled applications would fail to load the pam libraries when pam_ldap was configured.
• Defect Number QXCR1000846087 LDAP-UX does not clearly display when TLS is being configured. Instead it always reports SSL. • Defect Number QXCR1000796353 The pam_authz module could not be called as an authentication service module. It only supported the account management function. Note that since pam_authz does not perform authentication, only authorization, pam_authz should never be marked as "sufficient" or be the only module used as an authentication service.
3.3.1.3 Operating System Requirements HP-UX 11i v1, 11i v2 or 11i v3. 3.3.1.4 Patch Requirements For 11i v1, HP requires that you install the patch listed in Table 1-1, this table is shown below. For 11i v2 or v3, no patch is required. You may use the following command to determine which patches are installed on your system: /usr/sbin/swlist -l product | grep PH | more See the swlist(1M) manpage for more information.
NOTE: See the following notes: • Patch number suffix with * above are dependencies to the patches that immediately precedes them in the table. • If you store POSIX information of passwd and group in ADS multiple domains, PHSS_36286 is required. If you only use a single domain, PHSS_36286 is optional. • If you wish to use SASL/GSSAPI proxy authentication, you must first install patches PHSS_29487 and PHSS_36286 and then install the latest version of the KRB5CLIENT product available at software.hp.com. 3.3.1.
You can download the Enhanced Publickey-LDAP software bundle from the following Software Depot web site: • Go to the HP Software Depot website: http://www.hp.com/go/softwaredepot • • Click on the Enhancement releases and patch bundles link. Select the following links: — HP-UX Software Pack (Optional HP-UX 11i v1 Core Enhancements) for HP-UX 11i v1→HP-UX Public Key LDAP for HP-UX 11i v1 Select and download the following software bundle: Enhkey B.11.11.01 HP-UX B.11.
3. 4. If you require ONC publickey, ONC AutoFS, or integration with Active Directory Server, please see the above section for details about required product versions and how to obtain them. Install those products and/or patches for this step. Install required patches listed above, if they have not been installed yet. NOTE: Starting with the LDAP-UX product version B.03.20 or later, system reboot is not required after installing the product.
NOTE: The -t "p,," represents the minimum trust attributes that may be assigned to the LDAP server’s certificate for LDAP-UX to successfully use SSL to connect to the LDAP directory server. For additional information, see the following website: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html If you want to use LDAP-UX with Microsoft Windows 2003 Active Directory with Services for UNIX version 2.0 (SFU 2.
3.4.3 Configuring for Use with Microsoft Windows Active Directory Server The LDAP-UX Client Services provides default attributes and search descriptor settings to work with Microsoft Windows Services for UNIX 3.0 or 3.5 (SFU 3.0/SFU3.5) when working with the Windows 2003/2003 R2/2008 Active Directory Server. Windows 2003 R2/2008 Active Directory Server provides the ADS 2003 R2’s RFC2307 schema which is compliant with the IETF RFC2307 standard. If you use SFU 2.
# /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com # /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com Then you start or restart the client daemon, /opt/ldapux/bin/ldapclientd. 3.4.
3.5 Known Problems and Workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server Problem If a password expires, the user cannot log into HP-UX clients. Workaround The administrator will have to reset the password or the user will have to log into the Windows 2003, 2003 R2, or 2008 system to reset password before he can log into HP-UX machines.
ipHostNumber: 15.13.95.92 cn: machineA cn: hpma01.cup.hp.com Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. 3.6 Limitations in LDAP-UX Client Services The following are limitations in this version of the LDAP-UX Client Services. 3.6.
The "Configuration Profile" schema will be automatically installed on directory servers that support online modification of the subschema subentry. The following list of directories have been tested or minimally verified. • • • • Red Hat Directory Server 7.1/8.0 for HP-UX - Fully tested and supported Microsoft Windows 2003/2008 Active Directory - Fully tested and supported IBM Tivoli Directory Server (TDS) v6.2 - Fully tested and supported with limitations.
• • LDAP-UX Client Services using Windows 2003/2003 R2/2008 Active Directory Server currently supports hosts, protocols, networks, rpc, automount and services in a single domain. It only supports passwd and group service data in multiple domains. The LDAP-UX Client Services daemon, /opt/ldapux/bin/ldapclientd, caches only passwd, group, netgroup, automount service data. 3.6.
3.6.10 Clear Text Passwords login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over the network unless SSL or SASL Digest-MD5 authentication is enabled with setup. However, SASL DIGEST-MD5 may pose a security risk as the Directory Server may store the password in clear text. (NOTE: By default, SSL and SASL DIGEST-MD5 authentication is disabled) You can alternately use secure encrypted transport through the IPSec/9000 product for stronger security.
3.6.
3.6.16 Additional Limitations with Active Directory • ldapentry Not Certified for Active Directory ldapentry, a new client administration tool to simplify adding, modifying, and deleting database entries is not certified for use with Active Directory. • Limited Name Service Database Support for multiple Domains LDAP-UX Client Services, using Windows 2003 or 2008 Active Directory Server with multiple Domains, currently only supports the passwd and group name services.
— the method TDS uses to map LDAP attribute names into DB2 table names. It occurs when two different LDAP attribute names generate the same DB2 table name, even though different attribute names are used. To work around this problem, use the process described in “Known Problems and Workarounds” (page 31) The setup utility reports that the automount schema, as defined by RFC2307, is not installed on the directory server. It then asks if the setup administrator would like to install that schema.
— — this condition, libpam_ldap allows the user to authenticate without a warning message or requiring a password change. libpam_ldap does not allow a user to login (or prompt the user to change his password) if the user’s password is expired. This occurs when pwdChangedTime + pwdMaxAge > the current time. libpam_ldap depends on success or failure of the LDAP bind operation to determine if authentication to the HP-UX OS should be allowed.
Known Problem Security Policy Enforcement Workaround Some of the password and account policy limitations discussed above are resolved by using the libpam_authz library to authorize PAM-based services. The libpam_authz library is used to supplement authorization analysis and does not replace libpam_ldap or any other PAM library. libpam_authz is configured in the account management section of the /etc/pam.conf file.
Connected to localhost. Escape character is '^]'. Local flow control on Telnet TERMINAL-SPEED option ON HP-UX hostname B.11.31 U ia64 (tc) login: username Password: Your password has expired. Choose a new one Old password: New password: Re-enter new password: Passwd successfully changed login: NOTE: This password expiration policy evaluation only triggers during the password expiration warning grace period (as defined by pwdExpireWarning).
4 NIS/LDAP Gateway This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory).
4.3.1.1 Memory Requirements This product has minimal memory and disk requirements. Your system should have at least 32 MB of main memory, and at least five megabytes of free disk space under /opt. Depending on the size of your NIS maps and if you wish to cache that data in the NIS/LDAP Gateway server, you will need additional physical main memory, approximately two to three times the total size of your existing NIS maps. 4.3.2 Operating System Requirements HP-UX 11i v1, v2, or v3. 4.3.
4.4 Installing and Configuring LDAP Client Administration Tools This section provides basic instructions for installing the LDAP Client Administration Tools. For complete installation and configuration instructions, see NIS/LDAP Gateway Administrator’s Guide. 4.4.1 Configuration Quick Start This product does not require any specific configuration.
• Use Preloaded Maps instead of ypall_caching You should use the preload_maps parameter to preload maps into the cache instead of ypall_caching. Use of ypall_caching can cause a performance bottleneck in the ypldapd server. For more information, see “Caching” in Installing and Administering NIS/LDAP Gateway.
5 Support and other resources 5.1 Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
• RFC 2307 describing the schema for Posix naming information is available at: http://www.ietf.org/rfc/rfc2307.txt. 5.4 Typographic conventions This document uses the following typographical conventions: 40 Book Title Title of a book or other document. http:// www.hp.com A website address that is a hyperlink to the site. Emphasis Text that is emphasized. Bold Text that is strongly emphasized. The defined use of an important word or phrase. Command Command name or qualified command phrase.
