LDAP-UX Integration B.04.20 Release Notes (June 2009)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

cannot avoid the DB2 table name collision error, as described above. If such a collision occurs,

ldapschema returns the “constraint violation” error.

• If ldapschema is used to install the RFC2307 schema on TDS and the pre-installed version

of the RFC2307 schema is installed, ldapschema reports the following error:

OBJECT_MISMATCH: definition of object class "posixGroup"

is incompatible with the definition already

installed in the LDAP server schema.

This error is caused by different interpretations of the RFC2307 schema. However, LDAP-UX

is compatible with either interpretation.

Security

• User authentication with LDAP-UX through the libpam_ldap library does not support

analysis of TDS password, account and security policy. TDS supports certain security policy

features, such as password expiration, account lockout, and account disabled. The known

integration issues are as follows. However, additional limitations might exist.

— libpam_ldap does not display password expiration warnings (as set by the

pwdExpireWarning policy). If a password is about to expire (but has not yet expired),

libpam_ldap allows authentication without any warning indications.

— libpam_ldap is not aware of the condition when the user must change his password.

This condition is indicated by the pwdReset=true value and is encountered if the

administrator reset a user's password and the pwdMustChange policy is set to true. In

this condition, libpam_ldap allows the user to authenticate without a warning message

or requiring a password change.

— libpam_ldap does not allow a user to login (or prompt the user to change his password)

if the user’s password is expired. This occurs when pwdChangedTime + pwdMaxAge

> the current time.

— libpam_ldap depends on success or failure of the LDAP bind operation to determine

if authentication to the HP-UX OS should be allowed. Application of external policy

does not affect libpam_ldap from allowing or denying authentication if that external

policy is not evaluated by the directory server. For example, if ibm pwdAccountLocked

is set to true, TDS allows the user to bind to the directory server and libpam_ldap

allows the authentication to succeed.

Processes to work around some of the above limitations are described in “Known Problems

and Workarounds” (page 32)

• If DIGEST-MD5 (as part of the SASL subsystem) is used for authentication, LDAP-UX only

supports uid-based (username@domain) DIGEST-MD5 IDs with TDS. Using DNs for IDs is

not a supported DIGEST-MD5 ID syntax with TDS.

• HP-UX users change their password with the passwd command. By default, TDS does not

allow users to change their password. For the passwd command to function, the default

TDS security policy must be changed to allow users to change their own passwords.

Known Problems and Workarounds

Known Problem

Schema Constraint Violation in Setup

Workaround

The known cause for constraint violation during setup is the RFC4876 attribute

searchTimeLimit generates the same DB2 table name as the pre-installed schema

ibm-searchTimeLimit. To work around this issue, use the following example to predefine

the searchTimeLimit attribute in the directory server before running setup. If setup has run

and encountered the error, use the following example and rerun setup.

32 LDAP-UX Client Services