LDAP-UX Integration B.04.20 Release Notes (June 2009)
Unsupported Commands
The following HP-UX commands currently do not work with LDAP-UX Client Services:
Table 3-5 Unsupported HP-UX Commands
Does not change the “finger” information for users in the
directory. See the finger(1) man page.
chfn(1)
Does not change the login shell for users in the directory.chsh(1)
The System Administration Manager (SAM) does not
manage name service information in the directory.
sam(1M)
These commands do not manage user information in the
directory. Use ldapugadd, ldapugdel and ldapugmod
instead. See note below.
useradd(1M),
userdel(1M),
usermod(1M)
These commands do not manage group information in
the directory. Use ldapugadd, ldapugdel and
ldapugmod instead. See note below.
groupadd(1M),
groupdel(1M),
groupmod(1M)
You can use the LDAP User and Group command-line tools, ldapugadd, ldapugdel and
ldapugmod, to manage the user and group entries in your LDAP directory server. The syntax
for the LDAP tools is similar to the unsupported HP-UX tools, such as useradd, userdel,
usermod,..etc. For more information about tool usage, syntax, options and environment variables
supported by the LDAP tools, refer to the man pages, ldapugadd(1M), ldapugdel(1M) and
ldapugmod(1M).
Clear Text Passwords
login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over the
network unless SSL or SASL Digest-MD5 authentication is enabled with setup. However, SASL
DIGEST-MD5 may pose a security risk as the Directory Server may store the password in clear
text.
(NOTE: By default, SSL and SASL DIGEST-MD5 authentication is disabled)
You can alternately use secure encrypted transport through the IPSec/9000 product for stronger
security. See the IPSec/9000 documentation at: http://docs.hp.com/hpux/communications/.
Man page for ldapclientd.conf
Limitations in the man command require specifying the section number as man 4
ldapclientd.conf to view the man page for ldapclientd.conf.
LDAP Security Policy Enforcement
With LDAP directory servers that support security policies (such as account or password
expiration), it is possible for HP-UX logins to adhere to these polices.The design of the LDAP
protocol enforces both authentication and security polices in the same operation (ldap_bind).
The design of the PAM subsystem separates authentication and security policy enforcement into
two separate APIs, as configured under the "auth" and "account" portions of the /etc/pam.conf
file. Because of these design differences, administrators need to be aware that it’s not possible
to use libpam_ldap for either just authentication or just security policy enforcement. For
example, it is not possible to use ssh publickeys for authentication, and then use libpam_ldap
for account policy enforcement, since libpam_ldap does not have a password with which it
can use to bind to the directory server. The same is true if Kerberos is used for authentication;
libpam_ldap can not be used for security policy enforcement alone.
28 LDAP-UX Client Services