LDAP-UX Integration B.04.
© Copyright 2001–2009 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents Publication History.............................................................................................................7 1 LDAP-UX Integration Overview......................................................................................9 2 New in LDAP-UX Integration B.04.20........................................................................11 3 LDAP-UX Client Services..............................................................................................
Security.......................................................................................................................................32 Known Problems and Workarounds..........................................................................................32 4 NIS/LDAP Gateway ...................................................................................................35 NIS/LDAP Gateway Overview................................................................................................
List of Tables 3-1 3-2 3-3 3-4 3-5 Required HP -UX 11i v1 Patches...................................................................................................16 AutoFS Patch on HP-UX 11i v2 ....................................................................................................17 Enhanced Publickey -LDAP Software for HP-UX 11i v1 or v2.....................................................17 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................
Publication History The document publication date and part number indicate its current edition. The publication date will change when a new edition is released. To ensure that you receive the new editions, you should subscribe to the appropriate product support service. Contact your HP sales representative for details. You can find the various versions of this document at: http://docs.hp.com June 2009 Part Number 5900–0127 Added support information for IBM Tivoli Directory Server v6.
1 LDAP-UX Integration Overview The LDAP-UX Integration for HP-UX product uses the Lightweight Directory Access Protocol (LDAP) to centralize HP-UX user, group, and network information management in an LDAP directory. LDAP-UX Integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data and account management.
2 New in LDAP-UX Integration B.04.20 LDAP-UX Integration B.04.20 offers the following new features: • Windows 2008: Supports Active Directory Server for Windows 2008 • IBM TDS: Supports IBM Tivoli Directory Server v6.2 • Larger NGROUPS: As part of the effort to increase the NGROUPS limit, HP-UX now includes a new kernel tunable, ngroups_max, that specifies the maximum number of supplementary groups that can be associated with a user or process.
3 LDAP-UX Client Services This section contains the following information about LDAP-UX Client services B.04.20: • • • • • • • LDAP-UX Client Services Overview Known Problems Fixed in LDAP-UX Client Services B.04.20 Compatibility and Installation Requirements for LDAP-UX Client Services Installing and Configuring the LDAP-UX Client Services Documentation Known Problems and Workarounds for LDAP-UX Client Services Limitations in LDAP-UX Client Services — Limitations with IBM Tivoli Directory Server v6.
• Defect Number QXCR1000573975 LDAP-UX would not properly display group membership in ADS if member DNs had a comma in the RDN • Defect Number QXCR1000579039 Added support for attribute mapping for msSFU30PosixMember. • Defect Number QXCR1000593307 ypcat would not always return all groups when using ypldapd. • Defect Number QXCR1000570696 Some pam-enabled applications would fail to load the pam libraries when pam_ldap was configured.
• Defect Number QXCR1000846087 LDAP-UX does not clearly display when TLS is being configured. Instead it always reports SSL. • Defect Number QXCR1000796353 The pam_authz module could not be called as an authentication service module. It only supported the account management function. Note that since pam_authz does not perform authentication, only authorization, pam_authz should never be marked as "sufficient" or be the only module used as an authentication service.
Operating System Requirements HP-UX 11i v1, 11i v2 or 11i v3. Patch Requirements For 11i v1, HP requires that you install the patch listed in Table 1-1, this table is shown below. For 11i v2 or v3, no patch is required. You may use the following command to determine which patches are installed on your system: /usr/sbin/swlist -l product | grep PH | more See the swlist(1M) man page for more information. Patches can be obtained from the Patch Database at the HP IT Resource Center at http:// www.itrc.hp.com.
NOTE: See the following notes: • Patch number suffix with * above are dependencies to the patches that immediately precedes them in the table. • If you store POSIX information of passwd and group in ADS multiple domains, PHSS_36286 is required. If you only use a single domain, PHSS_36286 is optional. • If you wish to use SASL/GSSAPI proxy authentication, you must first install patches PHSS_29487 and PHSS_36286 and then install the latest version of the KRB5CLIENT product available at software.hp.com.
You can download the Enhanced Publickey-LDAP software bundle from the following Software Depot web site: • • • Go to http://www.hp.com/go/softwaredepot Click on the Enhancement releases and patch bundles link. Select the following links: — HP-UX Software Pack (Optional HP-UX 11i v1 Core Enhancements) for HP-UX 11i v1→HP-UX Public Key LDAP for HP-UX 11i v1 Select and download the following software bundle: Enhkey B.11.11.01 HP-UX B.11.
4. Install required patches listed above, if they have not been installed yet. NOTE: Starting with the LDAP-UX product version B.03.20 or later, system reboot is not required after installing the product.
RFC 2307, see the section “Configuring for Use with Microsoft Windows Active Directory Server” before you run setup or migration. If your user and group data have been migrated to an LDAP directory, you can set up a client system as described below. If you have not migrated your name service data to an LDAP directory, refer to LDAP-UX Client Services B.04.15 Administrator’s Guide for complete migration details. The following shows basic instructions for configuring the LDAP-UX Client Services: 1.
If you use R’2 RFC 2307 schema with Windows 2003 R2/2008 ADS, you must run setup to select RFC2307 before running migration. Alternately, you can manually re-link the attribute configuration file to RFC2307 before running migration. Use the following command to switch to RFC2307: ln -fs /etc/opt/ldapux/default_profile_attr_ads_winr2.ldif \ /etc/opt/ldapux/default_profile_attr_ads.ldif LDAP-UX Client Services will also use SFU 3.0/3.5 in the absence of the softlink /etc/opt/ldapux/defualt_profile_attr_ads.
3. Run swremove to remove the LDAP-UX Client Services product. For example: On HP-UX 11i v1 and v2, run /usr/sbin/swremove J4269AA On HP-UX 11i v3, run /usr/sbin/swremove LDAPUX 4. 5. Remove the directories /etc/opt/ldapux and /opt/ldapux. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1". This step is required for HP-UX 11i v2 client systems. This step is optional for HP-UX 11i v1 systems.
Documentation The documentation below is available on the HP-UX Documentation web site at http://docs.hp.com/hpux/internet or where indicated. Table 3-4 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title Description LDAP-UX Client Services B.04.15 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90083) LDAP-UX Client Services B.04.
Known Problems and Workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Active Directory Server Problem If a password expires, the user cannot log into HP-UX clients. Workaround The administrator will have to reset the password or the user will have to log into the Windows 2003, 2003 R2, or 2008 system to reset password before he can log into HP-UX machines.
ipHostNumber: 15.13.95.92 cn: machineA cn: hpma01.cup.hp.com Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. Limitations in LDAP-UX Client Services The following are limitations in this version of the LDAP-UX Client Services.
The "Configuration Profile" schema will be automatically installed on directory servers that support online modification of the subschema subentry. The following list of directories have been tested or minimally verified. • • • • Red Hat Directory Server 7.1/8.0 for HP-UX - Fully tested and supported Microsoft Windows 2003/2008 Active Directory - Fully tested and supported IBM Tivoli Directory Server (TDS) v6.2 - Fully tested and supported with limitations.
NOTE: Compatibility with features not specified in the base LDAP RFCs is not guaranteed. Interoperability issues are likely in areas such as schema management and/or password and account policy evaluation/enforcement.
Unsupported Commands The following HP-UX commands currently do not work with LDAP-UX Client Services: Table 3-5 Unsupported HP-UX Commands chfn(1) Does not change the “finger” information for users in the directory. See the finger(1) man page. chsh(1) Does not change the login shell for users in the directory. sam(1M) The System Administration Manager (SAM) does not manage name service information in the directory. useradd(1M), These commands do not manage user information in the directory.
Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account and password security policy enforcement without requiring LDAP-based authentication. This feature supports applications, SSH (Secure Shell) or r-commands with .rhost enabled where authentication is performed by the command itself.
SSL Client Certs. Caching passwd group netgroup X.500-style groupmembership Not Supported Not Supported Supported Supported Supported Supported Supported Supported Not Supported Supported NOTE: 1. 2. 3. 4. 5. 6. 7. Equivalent feature available directly in sendmail. The setup program does not support configuration of ADS-based printers.
Limitations with IBM Tivoli Directory Server v6.2 HP has performed integration testing and supports LDAP-UX version B.04.20 with IBM Tivoli Directory Server (TDS) v6.2. However, there are known limitations with this integration and some features of LDAP-UX are not supported in version B.04.20 or earlier versions. Configuration Limitations • The /opt/ldapux/config/setup utility configures the LDAP-UX product.
• cannot avoid the DB2 table name collision error, as described above. If such a collision occurs, ldapschema returns the “constraint violation” error. If ldapschema is used to install the RFC2307 schema on TDS and the pre-installed version of the RFC2307 schema is installed, ldapschema reports the following error: OBJECT_MISMATCH: definition of object class "posixGroup" is incompatible with the definition already installed in the LDAP server schema.
# Modify the values below by specifying a host name and optional port # number (if not 389) as well as an administrator’s ID/DN (such as # cn=root) and password. # # Then cut and paste the below on the LDAP-UX client host. # HostName="[:port]" AdminID="
sshd sshd sshd sshd OTHER OTHER OTHER OTHER account account account account account account account account required required sufficient required required required sufficient required libpam_hpsec.so.1 libpam_authz.so.1 libpam_unix.so.1 libpam_ldap.so.1 libpam_hpsec.so.1 libpam_authz.so.1 libpam_unix.so.1 libpam_ldap.so.1 libpam_authz must always be a required module and should not be the only module in the account stack.
4 NIS/LDAP Gateway This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory).
Memory Requirements This product has minimal memory and disk requirements. Your system should have at least 32 MB of main memory, and at least five megabytes of free disk space under /opt. Depending on the size of your NIS maps and if you wish to cache that data in the NIS/LDAP Gateway server, you will need additional physical main memory, approximately two to three times the total size of your existing NIS maps. Operating System Requirements HP-UX 11i v1, v2, or v3.
Installing and Configuring LDAP Client Administration Tools This section provides basic instructions for installing the LDAP Client Administration Tools. For complete installation and configuration instructions, see NIS/LDAP Gateway Administrator’s Guide. Configuration Quick Start This product does not require any specific configuration.
• Shadow Passwords Not Supported You must set the hide_passwords parameter to “no” in the ypldapd.conf file because shadow passwords are not supported. See Installing and Administering NIS/LDAP Gateway for details. • Use Preloaded Maps instead of ypall_caching You should use the preload_maps parameter to preload maps into the cache instead of ypall_caching. Use of ypall_caching can cause a performance bottleneck in the ypldapd server.
