LDAP-UX Integration B.04.20 Release Notes (June 2009)

Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account and

password security policy enforcement without requiring LDAP-based authentication. This feature

supports applications, SSH (Secure Shell) or r-commands with .rhost enabled where authentication

is performed by the command itself.

SASL/GSSAPI Profile Download Support

The current release of LDAP-UX does not support downloading of the LDAP-UX profile

automatically, when used with SASL/GSSAPI authentication, and that authentication uses a host

or service principal, where that principal’s key is stored in a Kerberos keytab file.This limitation

impacts the ability of the LDAP-UX product to support the "profile time to live" feature, which

automatically will re-download a profile after it’s profileTTL time period has expired.

In this situation, profiles can still be downloaded manually using the get_profile_entry

command, as long as a principal and password provided on the command line.The following

command shows an example of how to download the profile manually. If your profile changes

frequently, you may wish to place this in a script that is called periodically by cron.

/opt/ldapux/config/get_profile_entry -s NSS -D \

"<administrator@my.domain.org>" -w "<adminpassword>"

Changing authentication methods

If you wish to switch from your current authentication method, such as SIMPLE or

SASL/DIGEST-MD5 to SASL/GSSAPI, TLS:SIMPLE or TLS:SASL/DIGEST-MD5, you must restart

the ldapclientd daemon after making the configuration changes. This step is required to

assure that the proper GSS API, Kereros and/or SSL initialization is completed.

Supported Features For Particular Directory Servers

The following shows the supported features for particular directory servers:

Feature Netscape/Red Hat Microsoft ADS