LDAP-UX Integration B.05.00 Release Notes HP-UX 11i v2 and v3 HP Part Number: J4269-90088 Published: June 2010 Edition: 1.
© Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 LDAP-UX integration overview.......................................................................................7 1.1 LDAP-UX Client Services overview..................................................................................................7 1.2 NIS/LDAP Gateway overview..........................................................................................................7 1.3 LDAP Client Administration Tools overview.........................................................
3.1.4 Preparing for installation........................................................................................................25 3.1.5 Installing the NIS/LDAP Gateway..........................................................................................25 3.1.6 Configuration quick start........................................................................................................25 3.2 Installing and configuring LDAP Client administration tools..........................................
List of Tables 2-1 2-2 2-3 4-1 AutoFS Patch on HP-UX 11i v2.....................................................................................................12 Enhanced Publickey-LDAP software requirement.......................................................................13 Unsupported HP-UX Commands.................................................................................................21 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................
1 LDAP-UX integration overview The LDAP-UX Integration product integrates HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. LDAP-UX Integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data, and account management.
NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features. For detailed information on known problems fixed in this release of NIS/LDAP Gateway, as well as compatibility and installation requirements and limitations in NIS/LDAP Gateway, see “NIS/LDAP Gateway ” (page 25). 1.
2 LDAP-UX Client Services This section contains the following information about LDAP-UX Client services B.05.00: • • • • • • What’s New in LDAP-UX Client Services B.05.00 Known Problems Fixed in LDAP-UX Client Services Compatibility and Installation Requirements for LDAP-UX Client Services Documentation Known Problems and Workarounds Limitations in LDAP-UX Client Services 2.1 What’s new in LDAP-UX Client Services B.05.00 LDAP-UX Client Services B.05.00 is a major update to the LDAP-UX Integration product.
• User Group Management Tools Enhancements The user and group management tools are enhanced to provide the following: — The DN of the current user as a default when prompting for a DN before binding to the directory server. — The ability to change or reset a user's ADS password if SSL has been configured. This includes the ability of an administrator to reset a user's password.
option for PAM_LDAP, which enables PAM_LDAP to be completely disregarded for specific local users. To enable this feature, you must set the ignore option for PAM_LDAP in the pam_user.conf file for per-user configuration. When you use this option for PAM_LDAP, PAM returns PAM_IGNORE. For detailed information on how to configure and use this feature, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide.
2.2.1.2 Memory requirements. This product has minimal supplementary memory and disk requirements. Beyond the memory requirements of the operating system and other active applications, your system should have at least 5 MB of additional main memory, and at least 40 megabytes of free disk space under /opt. If you enable longterm enumeration caching, disk space requirements will increase by the size of your current user and group user data. 2.2.1.3 Hardware requirements.
Table 2-2 Enhanced Publickey-LDAP software requirement Operating System Supported Software Bundle Version Release Date HP-UX 11i v2 Enhkey B.11.23.01 October, 2006 You can download the Enhanced Publickey-LDAP software bundle from the following Software Depot website: • • • Go to http://www.hp.com/go/softwaredepot. Click on Enhancement releases and patch bundles.
1. 2. 3. 4. Log in to your system as root. Run swinstall and install the LDAP-UX Client Services (LdapUxClient subproduct). It installs the product software in /opt/ldapux and /etc/opt/ldapux directories. If you require ONC publickey, ONC AutoFS, or integration with Active Directory Server, please see the above section for details about required product versions and how to obtain them. Install those products and/or patches for this step.
cd /opt/ldapux/config ./autosetup After following the prompts, your installation will be complete. Thre is no need to continue to step 2. Instead continue to step 4. 2. Save a copy of /etc/pam.conf, and modify the original file to add libpam_ldap.so.1 on an HP-UX 11i v2 or v3 system where it is appropriate. If your system is in Standard Mode, see /etc/pam.ldap for an example. If your system is in the Trusted Mode, see /etc/ pam.ldap.trusted for an example.
-i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com" PROFILE_ID="acct.myorg.mycom.com" LDAP_HOSTPORT="192.10.10.12:389" PROFILE_ENTRY_DN="cn=ldapuxprof,cn=configuration,dc=acct,dc=myorg,dc=mycom,dc=com" PROGRAM="/opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.
• • • • • ldifdiff did not properly handle the "version:" directive at the beginning of an LDIF file. 64-bit applications compiled with mmap could not successfully use the name service APIs (getpwnam, and so on) nor the PAM APIs. ldapclientd did not properly update the mem_in_use statistic when a cache had been disabled. ldifdiff would not properly compare LDIF files if attribute names had differing case (upper/lower).
2.5 Known problems and workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Proxy User Configuration Problem If you change the authentication method from SIMPLE (with or without SSL) to SASL DIGEST-MD5 (with or without SSL), or vice versa, the proxy user will become invalid if you don’t update the proxy user during setup.
LDAP Error 32: Configured LDAP-UX search base does not exist. This can occur if the serviceSearchBase uses a relative base DN, as is configured by autosetup, such as: serviceSearchDescriptor: passwd:ou=People, Workaround If you need to modify the defaultSearchBase, be sure to put the full base DN in the serviceSearchDescriptor attributes when modifying the LDAP-UX Configuration profile. • Permissions with autosetup Problem If autosetup is used to configure LDAP-UX, it will modify the existing /etc/krb5.
2.6.4 Long user and group name support LDAP-UX supports long user and group name of up to 255 characters on an HP-UX 11i v3 system when you explicitly enable the system for expanded user and group name feature by using the lugadmin -e command. Refer to the lugadmin man page for details. On HP-UX 11i v2, the maximum length of the user or group name can be only eight characters. 2.6.5 LDAP directory interoperability The LDAP-UX product has been certified under the OpenGroup’s works with LDAP 2000 branding.
— — — — — — — — — — • • group netgroup automount publickey services rpc hosts networks protocols user-defined maps LDAP-UX Client Services using Windows 2003 R2/2008Active Directory Server currently supports passwd, group, hosts, protocols, automount, networks, rpc, and services in a single domain, and supports only passwd and group in multiple domains. It does not support netgroup and publickey service data.
Table 2-3 Unsupported HP-UX Commands (continued) useradd(1M), userdel(1M), usermod(1M) groupadd(1M), groupdel(1M), groupmod(1M) These commands do not manage user information in the directory. However, similar commands, ldapugadd, ldapugdel, and ldapugmod support LDAP user and group operations with similar parameters. These commands do not manage group information in the directory. However, similar commands, ldapugadd, ldapugdel, and ldapugmod support LDAP user and group operations with similar parameters.
In this situation, profiles can still be downloaded manually using the get_profile_entry command, as long as a principal and password provided on the command line.The following command shows an example of how to download the profile manually. If your profile changes frequently, you may wish to place this in a script that is called periodically by cron: /opt/ldapux/config/get_profile_entry -s NSS -D \ "" -w "" 2.6.
3. 4. 5. 6. 7. netgroups may not be stored in ADS. pam_kerberos has been integrated with LDAP to fully support Windows domain authentication and should be used instead of pam_ldap. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities stored in the local host are controlled by the local security policy. Identities stored in an LDAP directory are controlled by the LDAP security policy. NSS refers to the Name Service Subsystem, such as passwd, group, etc...
3 NIS/LDAP Gateway This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory).
• • • If you have already configured other NIS/LDAP Gateway servers on other systems, you can simply duplicate the configuration file /opt/ldapux/ypldapd/etc/ypldapd.conf on the local system. Otherwise, edit the file /opt/ldapux/ypldapd/etc/ypldapd.conf and add the appropriate values according to the descriptions in the file. Minimally you will need to update the ypdomain, ldaphost, basedn, binddn and bindcred parameters.
3.4 Limitations in NIS/LDAP Gateway The following are limitations in this version of the NIS/LDAP Gateway. • Crypt Passwords The NIS/LDAP Gateway product requires that user passwords be stored in the directory server in the same format as stored in an /etc/passwd file. This is known as “Unix Crypt” format. If your directory server does not understand the {crypt} data type, you can still use the NIS/LDAP Gateway server. However, these users will not be able to authenticate to the directory server.
4 Support and other resources 4.1 Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
4.2 Documentation The documentation below is available on the HP-UX Documentation web site at http:// www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software) or where indicated. Table 4-1 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway Title Description LDAP-UX Client Services B.05.00 Administrator’s Guides How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90086) LDAP-UX Client Services B.05.
Bold Text that is strongly emphasized. The defined use of an important word or phrase. Command Command name or qualified command phrase. user input Commands and other text that you type. computer output Text displayed by the computer. Name of a daemon, parameter, or parameter option. variable The name of an environment variable, for example PATH or errno. value A value that you may replace in a command or function, or information in a display that represents several possible values.
