LDAP-UX Integration B.04.20 Release Notes (April 2010 Update)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

this condition, libpam_ldap allows the user to authenticate without a warning message

or requiring a password change.

— libpam_ldap does not allow a user to login (or prompt the user to change his password)

if the user’s password is expired. This occurs when pwdChangedTime + pwdMaxAge

> the current time.

— libpam_ldap depends on success or failure of the LDAP bind operation to determine

if authentication to the HP-UX OS should be allowed. Application of external policy

does not affect libpam_ldap from allowing or denying authentication if that external

policy is not evaluated by the directory server. For example, if ibm pwdAccountLocked

is set to true, TDS allows the user to bind to the directory server and libpam_ldap

allows the authentication to succeed.

Processes to work around some of the above limitations are described in “Known Problems

and Workarounds” (page 31)

• If DIGEST-MD5 (as part of the SASL subsystem) is used for authentication, LDAP-UX only

supports uid-based (username@domain) DIGEST-MD5 IDs with TDS. Using DNs for IDs is

not a supported DIGEST-MD5 ID syntax with TDS.

• HP-UX users change their password with the passwd command. By default, TDS does not

allow users to change their password. For the passwd command to function, the default

TDS security policy must be changed to allow users to change their own passwords.

3.6.17.4 Known Problems and Workarounds

Known Problem

Schema Constraint Violation in Setup

Workaround

The known cause for constraint violation during setup is the RFC4876 attribute

searchTimeLimit generates the same DB2 table name as the pre-installed schema

ibm-searchTimeLimit. To work around this issue, use the following example to predefine

the searchTimeLimit attribute in the directory server before running setup. If setup has run

and encountered the error, use the following example and rerun setup.

# Modify the values below by specifying a host name and optional port

# number (if not 389) as well as an administrator’s ID/DN (such as

# cn=root) and password.

# Then cut and paste the below on the LDAP-UX client host.

HostName="<hostname>[:port]"

AdminID="<adminDN"

AdminPass="<adminPass>"

cd /opt/ldapux/bin

./ldapmodify -h "$HostName" -D "$AdminID" -w "$AdminPass" << EOD

dn: cn=schema

changetype: modify

add: attributetypes

attributetypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC

'Maximum time an agent or service allows for a search to complete'

EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX

1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

add: IBMAttributeTypes

IBMAttributeTypes: (1.3.6.1.4.1.11.1.3.1.1.3 DBNAME ('srctlm' 'srctlm'))

EOD

The above script creates a DB2 table named srctlm and associates it with the searchTimeLimit

attribute, identified by OID 1.3.6.1.4.1.11.1.3.1.1.3. A similar procedure can be used if table

collisions occur with other attributes.

3.6 Limitations in LDAP-UX Client Services 31