LDAP-UX Integration B.05.01 Release Notes
2.7.11 Manpage for ldapclientd.conf
Limitations in the man command require specifying the section number as man 4
ldapclientd.conf to view the manpage for ldapclientd.conf. If the section number 4 is
not specified, the ldapclientd manpage will appear instead.
2.7.12 LDAP security policy enforcement
With LDAP directory servers that support security policies (such as account or password expiration),
it is possible for HP-UX logins to adhere to these polices.The design of the LDAP protocol enforces
both authentication and security polices in the same operation (ldap_bind). The design of the
PAM subsystem separates authentication and security policy enforcement into two separate APIs,
as configured under the "auth" and "account" portions of the /etc/pam.conf file. Because of
these design differences, administrators need to be aware that it’s not possible to use libpam_ldap
for either just authentication or just security policy enforcement. For example, it is not possible to
use ssh publickeys for authentication, and then use libpam_ldap for account policy enforcement,
since libpam_ldap does not have a password with which it can use to bind to the directory
server. The same is true if Kerberos is used for authentication; libpam_ldap cannot be used for
security policy enforcement alone.
Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account and password
security policy enforcement without requiring LDAP-based authentication. This feature supports
applications, SSH (Secure Shell) or r-commands with .rhost enabled where authentication is
performed by the command itself.
2.7.13 SASL/GSSAPI profile download support
The current release of LDAP-UX does not support downloading of the LDAP-UX profile automatically,
when used with SASL/GSSAPI authentication, and that authentication uses a host or service
principal, where that principal’s key is stored in a Kerberos keytab file.This limitation impacts the
ability of the LDAP-UX product to support the "profile time to live" feature, which automatically will
re-download a profile after it’s profileTTL time period has expired.
In this situation, profiles can still be downloaded manually using the get_profile_entry
command, as long as a principal and password provided on the command line.The following
command shows an example of how to download the profile manually. If your profile changes
frequently, you may wish to place this in a script that is called periodically by cron:
/opt/ldapux/config/get_profile_entry -s NSS -D \
"<administrator@my.domain.org>" -w "<adminpassword>"
2.7.14 Changing authentication methods
If you wish to switch from your current authentication method, such as SIMPLE or SASL/DIGEST-MD5
to SASL/GSSAPI, TLS:SIMPLE or TLS:SASL/DIGEST-MD5, you must restart the ldapclientd daemon
after making the configuration changes. This step is required to assure that the proper GSS API,
Kereros and/or SSL initialization is completed.
2.7.15 Supported features for particular directory servers
The following shows the supported features for particular directory servers:
Feature HP-UX Directory Microsoft ADS
-------------------------------------------------------------
passwd name service Supported Supported
group name service Supported Supported
netgroup name service Supported Not Supported
hosts name service Supported Supported
networks name service Supported Supported
protocols name service Supported Supported
rpc name service Supported Supported
2.7 Limitations in LDAP-UX Client Services 23