LDAP-UX Integration B.05.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

HP-UX 11i v2 and v3

Abstract

This document describes what is new with the current release of the LDAP-UX Integration product, which includes two components:

LDAP-UX Client Services and NIS/LDAP Gateway (ypldapd). The document includes installation and configuration information,

known problems fixed in this release, limitations and restrictions, and known issues. This document is intended for system and

network administrators responsible for installing, configuring, and managing the LDAP-UX Client Services and the NIS/LDAP

Gateway.

HP Part Number: 5900-1480

Published: December 2010

Edition: 4.0

Summary of content (31 pages)

PAGE 1
LDAP-UX Integration B.05.01 Release Notes HP-UX 11i v2 and v3 Abstract This document describes what is new with the current release of the LDAP-UX Integration product, which includes two components: LDAP-UX Client Services and NIS/LDAP Gateway (ypldapd). The document includes installation and configuration information, known problems fixed in this release, limitations and restrictions, and known issues.
PAGE 2
© Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Contents 1 LDAP-UX integration overview.......................................................................5 1.1 LDAP-UX Client Services overview...........................................................................................5 1.2 NIS/LDAP Gateway overview...............................................................................................6 1.3 LDAP Client Administration Tools overview..............................................................................
PAGE 4
3.1.1.1 Memory requirements...........................................................................................26 3.1.2 Operating system requirement......................................................................................26 3.1.3 Patch requirements.....................................................................................................26 3.1.4 Preparing for installation.............................................................................................26 3.1.
PAGE 5
1 LDAP-UX integration overview The LDAP-UX Integration product integrates HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. LDAP-UX Integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data, and account management.
PAGE 6
1.2 NIS/LDAP Gateway overview The NIS/LDAP Gateway Server (NisLdapServer subproduct) software helps HP-UX servers and workstations more closely integrate with an LDAP directory. Specifically this product allows an NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features.
PAGE 7
2 LDAP-UX Client Services This section contains the following information about LDAP-UX Client services B.05.00: • What's new in LDAP-UX Client Services B.05.01 • What’s New in LDAP-UX Client Services B.05.00 • Known Problems Fixed in LDAP-UX Client Services • Compatibility and Installation Requirements for LDAP-UX Client Services • Documentation • Known Problems and Workarounds • Limitations in LDAP-UX Client Services 2.1 What's new in LDAP-UX Client Services B.05.
PAGE 8
• IPv6 support LDAP-UX OS integration and management tools can now connect to directory servers through IPv6 addressing. • compat mode performance enhancement For organizations that rely on the legacy netgroup /etc/passwd filtering, the compat mode performance enhancement significantly improves performance when numerous and large netgroups are used in the /etc/passwd file for controlling passwd fields.
PAGE 9
◦ ldaphostlist Use the ldaphostlist tool to display and enumerate host entries that reside in an LDAP-based directory server. Although ldaphostlist provides output similar to the ldapsearch command, it satisfies a few specific feature requirements that allow applications to discover and evaluate hosts stored in an LDAP directory server without requiring intimate knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server.
PAGE 10
NOTE: Version 6.0.5 of the Mozilla LDAP SDK includes changes to improve compliance with the LDAP C API specification defined by the IETF document draft-ietf-ldapext-ldap-c-api-05.txt. While the majority of these changes are maintained within the SDK itself, or opaque to the applications, certain applications might be impacted and require recompiling. For more information, see Section 2.3.1.1 (page 10) 2.
PAGE 11
For more information, see the swlist(1M) manpage. Patches can be obtained from the Patch Database at the HP IT Resource Center at http:// www.itrc.hp.com. If this patch is not available, contact your HP support representative for the latest version. A patch number can be superseded at any time. The patch number in the table was current as of June 1, 2010.
PAGE 12
D.01.25 or higher for HP-UX 11i v3 If you wish to also use SASL/GSSAPI for proxied authentication, version 1.6.2.05 or later of the Kerberos Client product is required, which is a replacement for the KRB5-Client components of the core HP-UX OS. More specifically, HP-UX 11i v2 requires Kerberos v5 Client product D.1.6.2.05 or higher, and HP-UX 11i v3 requires Kerberos v5 Client product E.1.6.2.05 or higher.
PAGE 13
ldapux/key3.db files, see the appropriate “Configuring LDAP-UX Client Services with SSL or TLS support” section of the LDAP-UX Client Services B.05.01 Administrator Guide. If you want to use LDAP-UX with Microsoft Windows Active Directory Server 2003 R2/2008 with RFC 2307, see Section 2.4.3 (page 13) before you run setup or migration. If your name service data (user, group, and so on) have been migrated to an LDAP directory, you can set up a client system as described below.
PAGE 14
2.4.4 Profile format changes The profile format has been changed in the product version B.04.10. If you previously configured LDAP-UX B.04.00 or earlier version using the default profile /etc/opt/ldapux/ ldapux_profile.ldif, and now update the product to version B.04.10 or later, the product will automatically update /etc/opt/ldapux/ldapux_profile.bin to the new format.
PAGE 15
5. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1". WARNING! If the LDAP-UX product is removed without completing Step 5 on HP-UX 11i v2 system, users will not be able to log onto the system. Follow the following steps to resolve this problem: 1. 2. 3. Reboot the system in the single-user mode. Execute the “mountall” command to mount the file system. Complete operations specified in Step 5 above. 2.5 Problems that have been fixed 2.5.1 Problems fixed in the B.05.
PAGE 16
Enter the default base DN where LDAP-UX clients should look for user and group information, (for example: cn=users, ) Default base DN []: When initiated without the -l option, setup configures the profile correctly and generates the default base DN in the user prompt, as shown in the following example: Enter the default base DN where LDAP-UX clients should look for user and group information, (for example: cn=users, dc=ninja,dc=turtle,dc=acme,dc=com) Default base DN [dc=ninja,dc=turtle,dc=acme,dc=com]: •
PAGE 17
• Defect number QXCR1000580415 The LDAP-UX client daemon ldapclientd might not start again when attempting to restart it or when rebooting the system. This occurs after the daemon has exited abnormally or the system did not shut down normally. • Defect number QXCR1001074063 If the local-only profile is configured, the ldapcfinfo -P command reports an error indicating the presence of an invalid ldapux_client.conf startup file. 2.5.2 Problems fixed in the B.05.
PAGE 18
• Defect number QXCR1001009051 ldifdiff would not properly compare LDIF files if attribute names had differing case (upper/lower). • Defect number QXCR1001038046 ldapentry would report errors when attempting to connect to the directory server when SSL/TLS enabled. 2.6 Known problems and workarounds for LDAP-UX Client Services This section describes all currently known problems with the LDAP-UX Client Services product. • Directory server created by autosetup fails to import the /tmp/ldif2dbTmp.
PAGE 19
If you change the authentication method from SIMPLE (with or without SSL) to SASL DIGEST-MD5 (with or without SSL), or vice versa, the proxy user will become invalid if you don’t update the proxy user during setup. Workaround The workaround is to remove the/etc/opt/ldapux/pcred file, then run the command /opt/ldapux/config/ldap_proxy_config -i to reconfigure it.
PAGE 20
However, because the port number is different, only one of the following entries can be stored in to an LDAP server: netdist 2101/tcp -ornetdist 2102/tcp 2.7.2 /etc/pam.conf HP delivers two PAM example configuration files, /etc/pam.ldap and/etc/pam.ldap.trusted, in this release. You need to configure /etc/pam.conf properly for LDAP-UX to work as expected.
PAGE 21
• IBM IDS 6.2 - Verified and supported ◦ • • Oracle Internet Directory 9.04 - Minimally verified ◦ Required to index all attributes ◦ Bypass setup with ldapmodify to manually load the profile schema Computer Associates eTrust 4.0 - Minimally verified ◦ • Manual schema installation required Manual schema installation required Sun SunOne 6.
PAGE 22
• For users having the same user name in multiple domains, LDAP-UX may return user data from a different domain if the original domain controller fails • A user may not be able to change their password if his/her uid number is not unique in the forest 2.7.8 Limitations of printer configurator • The new LDAP printer schema based on /etc/opt/ldapux/schema/RFC3712.xml is imported into the HP-UX Directory Server to create the printer objects.
PAGE 23
2.7.11 Manpage for ldapclientd.conf Limitations in the man command require specifying the section number as man 4 ldapclientd.conf to view the manpage for ldapclientd.conf. If the section number 4 is not specified, the ldapclientd manpage will appear instead. 2.7.12 LDAP security policy enforcement With LDAP directory servers that support security policies (such as account or password expiration), it is possible for HP-UX logins to adhere to these polices.
PAGE 24
automount name service aliases name service services name service publickey name service printer configurator pam_authz X.500-style group syntax pam_ldap Trusted Mode Security[5] Standard Mode Security LDAP Command-line Utils. ldapentry editor tool NIS Migration Tools NIS+ Migration Tools Multiple Domains NIS/LDAP Gateway Authentication Methods Simple Password SASL/DIGEST-MD5 SASL/GSSAPI SSL/TLS Server Certs. SSL/TLS Client Certs. Caching passwd group netgroup X.
PAGE 25
• User and Group Migration sAMAccountName must be unique across the entire domain. This attribute, used for pre-Windows 2000 clients, is set by the migration scripts to the value of the common name (CN). For example, if a new group in a different section of the dictionary is created to contain all UNIX users and the common name (CN) of this group is a duplicate of an existing name, the migration will fail because the sAMAccountName attribute is not unique.
PAGE 26
3 NIS/LDAP Gateway This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory).
PAGE 27
NOTE: The NIS/LDAP Gateway is not supported with Windows ADS. 3.1.6 Configuration quick start If your NIS maps have been migrated to an LDAP directory, you can set up a ypldapd server with only a few steps. (The ypldapd product is not supported with Windows ADS.) If you have not migrated your NIS maps to the LDAP directory, see Installing and Administering NIS/LDAP Gateway.
PAGE 28
If the NIS Client is on same box as ypldapd, it can bind to wrong server. Workaround If you want NIS Clients to bind with specific ypldapd or NIS Server, configure your client’s box as follows: Specify "YPSET_ADDR=machine’s name" in the etc/rc.config.d/namesrvs file. 3.4 Limitations in NIS/LDAP Gateway The following are limitations in this version of the NIS/LDAP Gateway.
PAGE 29
4 Support and other resources 4.1 Contacting HP HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document.
PAGE 30
• Manual pages using the man command, including ypldapd(8), ypserv(1M), ypfiles(4), and other related NIS manpages • RFC 2307 describing the schema for Posix naming information is available at: http://www.ietf.org/rfc/rfc2307.txt • NFS Services Administrator’s Guide discusses NIS, available at: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02153184/c02153184.pdf For more information about LDAP-UX Integration and related products and solutions, visit the following HP website: http://h71028.
PAGE 31