LDAP-UX Integration B.04.20 Release Notes (June 2009)
SSL Client Certs. Not Supported Not Supported
Caching
passwd Supported Supported
group Supported Supported
netgroup Supported Not Supported
X.500-style group- Supported Supported
membership
NOTE:
1. Equivalent feature available directly in sendmail.
2. The setup program does not support configuration of ADS-based printers. If the printer
entry in ADS contains a "printer-uri" type attribute (see RFC3712) the configuration profile
can be modified to change the attribute mapping forprinter-name and printer-uri to
match that of printer descriptions in ADS. However this feature is not officially supported.
3. netgroups may not be stored in ADS.
4. pam_kerberos has been integrated with LDAP to fully support Windows domain
authentication and should be used instead of pam_ldap.
5. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities
stored in the local host are controlled by the local security policy. Identities stored in an
LDAP directory are controlled by the LDAP security policy.
6. NSS refers to the Name Service Subsystem, such as passwd, group, etc... For more
information, refer to the nsswitch.conf(4) man page.
7. PAM refers to the Pluggable Authentication Module subsystem. For more information, refer
to the pam(3) man page.
Additional Limitations with Active Directory
• ldapentry Not Certified for Active Directory
ldapentry, a new client administration tool to simplify adding, modifying, and deleting
database entries is not certified for use with Active Directory.
• Limited Name Service Database Support for multiple Domains
LDAP-UX Client Services, using Windows 2003 or 2008 Active Directory Server with multiple
Domains, currently only supports the passwd and group name services.
• Posix Password Support
Posix password (defined as userPassword in RFC 2307, and msSFUPassword in SFU 2.0) is
not certified.
• User and Group Migration
sAMAccountName must be unique across the entire domain. This attribute, used for
pre-Windows 2000 clients, is set by the migration scripts to the value of the common name
(CN).
For example, if a new group in a different section of the dictionary is created to contain all
UNIX users and the common name (CN) of this group is a duplicate of an existing name,
the migration will fail because the sAMAccountName attribute is not unique. You can work
around this limitation by modifying the LDIF file to use a unique value for sAMAccountName.
• Support of Referrals with Active Directory
Referrals with Active Directory are currently not certified.
• Changing the Password for a Disabled User
When a user whose account is stored in ADS is disabled by setting the disable_uid_range
flag in the /etc/opt/ldapux_client.conf file on an HP-UX client system, and PAM_Kerberos is
used as the authenticating method, the passwd command will allow you to change the
password for the disabled user, since LDAP does not control this subsystem.
30 LDAP-UX Client Services