LDAP-UX Integration B.04.20 Release Notes (April 2010 Update)
the method TDS uses to map LDAP attribute names into DB2 table names. It occurs
when two different LDAP attribute names generate the same DB2 table name, even
though different attribute names are used. To work around this problem, use the process
described in “Known Problems and Workarounds” (page 31)
— The setup utility reports that the automount schema, as defined by RFC2307, is not
installed on the directory server. It then asks if the setup administrator would like to
install that schema. However, TDS v6.2 does provide the full RFC2307 schema by default.
The setup utility reports this message in error and the administrator should select No
when asked if setup should attempt to install the automount schema.
3.6.17.2 Utilities
• By default, TDS provides strict schema checking. This feature results in some strict usage
of LDAP-UX utilities.
For example, TDS enforces the definition that directory entries using the groupOfNames
or groupOfUniqueNames object classes must have at least one member. If LDAP-UX is
configured to use either of these object classes to represent group membership in HP-UX,
then at least one member must be specified using the -M option when the ldapugadd
command is used to create a new group.
• Some directory servers support the curly brace syntax in the userPassword attribute, such
as the {crypt} prefix that is used to create a Unix-style hashed password in the userPassword
field. This syntax is not compatible with TDS. Commands that generate this syntax should
not be used. For this reason, the -c option on the ldappasswd command is not supported
with TDS.
LDAP-UX is not dependent on the {crypt} password syntax in the userPassword attribute.
The ability to create {crypt} based passwords in ldappasswd is provided for legacy
applications that don’t support the Pluggable Authentication Module (PAM) API and must
examine and set the userPassword field directly.
• Installation of user-defined schema using the ldapschema utility is supported. When using
ldapschema with TDS, the -T "ibm" option should be specified. However, ldapschema
cannot avoid the DB2 table name collision error, as described above. If such a collision occurs,
ldapschema returns the “constraint violation” error.
• If ldapschema is used to install the RFC2307 schema on TDS and the pre-installed version
of the RFC2307 schema is installed, ldapschema reports the following error:
OBJECT_MISMATCH: definition of object class "posixGroup"
is incompatible with the definition already
installed in the LDAP server schema.
This error is caused by different interpretations of the RFC2307 schema. However, LDAP-UX
is compatible with either interpretation.
3.6.17.3 Security
• User authentication with LDAP-UX through the libpam_ldap library does not support
analysis of TDS password, account and security policy. TDS supports certain security policy
features, such as password expiration, account lockout, and account disabled. The known
integration issues are as follows. However, additional limitations might exist.
— libpam_ldap does not display password expiration warnings (as set by the
pwdExpireWarning policy). If a password is about to expire (but has not yet expired),
libpam_ldap allows authentication without any warning indications.
— libpam_ldap is not aware of the condition when the user must change his password.
This condition is indicated by the pwdReset=true value and is encountered if the
administrator reset a user's password and the pwdMustChange policy is set to true. In
30 LDAP-UX Client Services