LDAP-UX Integration B.05.00 Release Notes
• User Group Management Tools Enhancements
The user and group management tools are enhanced to provide the following:
— The DN of the current user as a default when prompting for a DN before binding to
the directory server.
— The ability to change or reset a user's ADS password if SSL has been configured. This
includes the ability of an administrator to reset a user's password.
• pam_authz Enhancements
The following pam_authz is enhancements have been made:
— pam_authz now allows granular access control policies to be applied to individual
PAM services (such as ftp, telnet, ssh, imapd, and so forth). Different policies can be
applied to each service.
— pam_authz now supports a new action for rules. In addition to allow or deny, the
required rule means that rule must pass and remaining rules must also be processed.
— Previously, pam_authz supported two modes, the netgroup mode, where netgroups
were specified in the /etc/passwd file, or the pam_authz.policy mode, where
rules were defined in the pam_authz.policy file. Those two modes were mutually
exclusive. A new condition rule in the pam_authz.policy file now allows both modes.
• LDAP Host management tools
LDAP-UX Integration B.05.00 supports two new LDAP command-line tools, ldaphostmgr
and ldaphostlist, that allow you to manage information about hosts in the directory
server, including ssh public keys. Using HP Secure Shell version 5.5 or higher, LDAP-UX
ssh key management can pre-establish trust between hosts.
— ldaphostmgr
Use the ldaphostmgr tool to add, modify, or delete information about hosts (OS
instances) that are part of the organization. The ldaphostmgr tool uses the existing
ldapux(5) configuration, requiring only a minimal number of command-line options
to discover where to search for host information, such as what directory server(s) to
contact and proper search filters for finding hosts. It also uses the existing ldapux(5)
authentication configuration to determine how to bind to the LDAP directory server.
ldaphostmgr can be used to centrally manage ssh public keys for hosts, and supports
attribute-mapping for attributes defined by the ipHost objectclass. Additional attributes
used in a host entry (such as owner, entityRole, and so on) are not mapped.
— ldaphostlist
Use the ldaphostlist tool to display and enumerate host entries that reside in an
LDAP-based directory server. Although ldaphostlist provides output similar to
the ldapsearch command, it satisfies a few specific feature requirements that allow
applications to discover and evaluate hosts stored in an LDAP directory server without
requiring intimate knowledge of the methods used to retrieve and evaluate that
information in the LDAP directory server. In addition, ldaphostlist can be used to
discover expiration information about ssh host keys if that information is managed in
the directory server.
For detailed information about tool usage, syntax, options, environment variables and return
codes supported by these tools, refer to the LDAP-UX Client Services B.05.00 Administrator's
Guide or man pages, ldaphostmgr(1M) and ldaphostlist(1M).
• The ignore option for PAM_LDAP support
If PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a
typical configuration in the Trusted Mode Environment), then when you lose access to your
directory server, you will have trouble accessing the system unless a set of so-called “recovery
users” is configured in the /etc/pam_user.conf file. This release supports the ignore
10 LDAP-UX Client Services