LDAP-UX Integration B.05.00 Release NotesHP-UX 11i v2 and v3

HP Part Number: J4269-90088Published: June 2010Edition: 1.0

© Copyright 2010 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license fromHP required for possession, use or copying. Consistentwith FAR 12.211 and 12.212, CommercialComputer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor's standard commercial license.

The information contained herein is subject to changewithout notice. The onlywarranties forHP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPshall not be liable for technical or editorial errors or omissions contained herein.

HP CIFS Server is derived from the Open Source Samba product and is subject to the GPL license.

Trademark Acknowledgements UNIX® is a registered trademark of The Open Group. Microsoft and Windows are U.S. registered trademarksof Microsoft Corporation.

Table of Contents

1 LDAP-UX integration overview.......................................................................................71.1 LDAP-UX Client Services overview..................................................................................................71.2 NIS/LDAP Gateway overview..........................................................................................................71.3 LDAP Client Administration Tools overview...................................................................................8

2 LDAP-UX Client Services.................................................................................................92.1 What’s new in LDAP-UX Client Services B.05.00.............................................................................92.2 Compatibility and installation requirements for LDAP-UX Client Services..................................11

2.2.1 Preparing for installation........................................................................................................112.2.1.1 Mozilla LDAP SDK changes and possible effect on applications...................................112.2.1.2 Memory requirements. ...................................................................................................122.2.1.3 Hardware requirements..................................................................................................122.2.1.4 Operating system requirements......................................................................................122.2.1.5 Patch requirement for offline credential cache support..................................................122.2.1.6 Patch requirement for AutoFS with LDAP support on HP-UX 11i v2...........................12

2.2.1.6.1 HP-UX Enhanced Publickey-LDAP requirement...................................................122.2.1.6.2 Kerberos support on HP-UX 11i v2 or v3...............................................................13

2.3 Installing and configuring the LDAP-UX Client Services..............................................................132.3.1 Installing the LDAP-UX Client Services.................................................................................132.3.2 Configuring the LDAP-UX Client ..........................................................................................142.3.3 Configuring for use with Microsoft Windows Active Directory Server ................................152.3.4 Profile format changes.............................................................................................................152.3.5 Removing the LDAP-UX Client Services................................................................................16

2.4 Problems fixed in this release..........................................................................................................162.5 Known problems and workarounds for LDAP-UX Client Services...............................................182.6 Limitations in LDAP-UX Client Services........................................................................................19

2.6.1 Services....................................................................................................................................192.6.2 /etc/pam.conf ..........................................................................................................................192.6.3 Maximum user name length of 8 characters on a Trusted Mode system...............................192.6.4 Long user and group name support.......................................................................................202.6.5 LDAP directory interoperability.............................................................................................202.6.6 Supported name service databases.........................................................................................202.6.7 Duplicated data entries in ADS multiple domains.................................................................212.6.8 Limitations of printer configurator ........................................................................................212.6.9 Unsupported commands.........................................................................................................212.6.10 Clear text passwords.............................................................................................................222.6.11 Man page for ldapclientd.conf.....................................................................................222.6.12 LDAP security policy enforcement.......................................................................................222.6.13 SASL/GSSAPI profile download support.............................................................................222.6.14 Changing authentication methods........................................................................................232.6.15 Supported features for particular directory servers..............................................................232.6.16 Additional limitations with Active Directory ......................................................................24

3 NIS/LDAP Gateway ...................................................................................................253.1 Compatibility and installation requirements for NIS/LDAP Gateway...........................................25

3.1.1 Hardware requirements..........................................................................................................253.1.1.1 Memory requirements.....................................................................................................25

3.1.2 Operating system requirement...............................................................................................253.1.3 Patch requirements..................................................................................................................25

Table of Contents 3

3.1.4 Preparing for installation........................................................................................................253.1.5 Installing the NIS/LDAP Gateway..........................................................................................253.1.6 Configuration quick start........................................................................................................25

3.2 Installing and configuring LDAP Client administration tools.......................................................263.2.1 Configuration quick start........................................................................................................26

3.3 Known problems and workarounds...............................................................................................263.4 Limitations in NIS/LDAP Gateway.................................................................................................27

4 Support and other resources.......................................................................................294.1 Contacting HP.................................................................................................................................294.2 Documentation................................................................................................................................30

4.2.1 Related documentation...........................................................................................................304.3 Typographic conventions................................................................................................................30

4 Table of Contents

List of Tables2-1 AutoFS Patch on HP-UX 11i v2.....................................................................................................122-2 Enhanced Publickey-LDAP software requirement.......................................................................132-3 Unsupported HP-UX Commands.................................................................................................214-1 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................30

5

6

1 LDAP-UX integration overviewTheLDAP-UX Integration product integratesHP-UX systemswith anLDAPdirectory. Specificallythis product allows HP-UX client systems to use an LDAP directory as its repository for nameservice data. LDAP-UX Integration enables the LDAP directory to be used as a single sourcerepository for HP-UX authentication, authorization, user data, and account management.This product consists of two components:• LDAP-UX Client Services - This software enables HP-UX clients to access name service

information in an LDAP directory server. pam_authz and theMozilla LDAP C SDK are twosubproducts of this product.

• NIS/LDAP Gateway Server - NIS/LDAP Gateway is a Network Information Service (NIS)that uses an LDAP directory as its information data store instead of NIS maps.

The LDAP-UX Integration product does not include an LDAP directory server.You can obtain theHP-UXDirectory Server andRedHatDirectory Server forHP-UX fromhttp://www.hp.com/go/softwaredepot or from your local HP sales office.This release notes contains information about LDAP-UXClient Services andNIS/LDAPGatewaysubproducts.The “LDAP-UX Client Services” section of this document includes the following information:• What’s New in LDAP-UX Client Services B.05.00• Compatibility and Installation Requirements for LDAP-UX Client Services• Documentation• Known Problems and Workarounds• Limitations in LDAP-UX Client ServicesThe “NIS/LDAP Gateway ” section of this document includes the following information:• Compatibility and Installation Requirements for NIS/LDAP Gateway• Known Problems and Workarounds• Limitations in NIS/LDAP Gateway

1.1 LDAP-UX Client Services overviewLDAP-UX Client Services simplifies HP-UX system administration by consolidating account,group and other configuration information into a central LDAP directory server. The LDAP-UXClient Services product works with a variety of LDAP v3 capable directory servers and is fullytestedwith theHP-UXDirectory Server /RedHatDirectory Server and theWindows 2003 R2/2008Active Directory Servers.

NOTE: LDAP-UXClient Services usingWindows 2003 R2 or 2008 Active Directory Server doesnot support netgroup and publickey service data.

IMPORTANT: HP strongly recommends that customers currently using LDAP-UX productversion B.04.10 or earlier upgrade to version B.05.00 or later.

For detailed information on new and changed features and known problems fixed in this releaseof LDAP-UXClient Services, aswell as compatibility and installation requirements and limitationsin LDAP-UX Client, see “LDAP-UX Client Services” (page 9) .

1.2 NIS/LDAP Gateway overviewTheNIS/LDAPGateway Server (NisLdapServer subproduct) software helps HP-UX servers andworkstations more closely integrate with an LDAP directory. Specifically this product allows an

1.1 LDAP-UX Client Services overview 7

NIS client to use an LDAP directory as its repository for NIS maps. This product provides anNIS to LDAP Gateway which converts NIS rpc requests into LDAP operations.In this release of NIS/LDAP Gateway, there are no new or changed features. For detailedinformation on known problems fixed in this release of NIS/LDAP Gateway, as well ascompatibility and installation requirements and limitations inNIS/LDAPGateway, see “NIS/LDAPGateway ” (page 25).

1.3 LDAP Client Administration Tools overviewThe LDAP Client Administration Tools (NisLdapClient subproduct) is a sub-component of theLdapUxClient. This tool set can help youmanage user, group, and other information in an LDAPdirectory. This sub-component contains the following files:• Migration scripts can be used to convert NIS, NIS+ maps or corresponding /etc files into

LDIF files and import them into an LDAP directory server.• LDAPUser andGroupmanagement tools: A set of the LDAP command-line tools that allow

you to manage user and group information in an LDAP directory server. These LDAP toolsare ldapuglist, ldapugadd, ldapcfinfo, ldapugmod and ldapugdel.

• Basic LDAP administration tools: ldapmodify, ldapsearch, ldapdelete,ldapentry,and ldappasswd.

• A contributed set of entry management tools that allow you to create or modify directoryentries.

Because the NIS/LDAP Gateway software emulates an NIS server, your NIS clients can startusing an LDAP directory server without installing this sub-component. However youmaywantto install the LDAPClient Administration Tools on yourNIS clients to allow your users tomodifytheir directory data, such as changing their password.

8 LDAP-UX integration overview

2 LDAP-UX Client ServicesThis section contains the following information about LDAP-UX Client services B.05.00:• What’s New in LDAP-UX Client Services B.05.00• Known Problems Fixed in LDAP-UX Client Services• Compatibility and Installation Requirements for LDAP-UX Client Services• Documentation• Known Problems and Workarounds• Limitations in LDAP-UX Client Services

2.1 What’s new in LDAP-UX Client Services B.05.00LDAP-UXClient Services B.05.00 is amajor update to the LDAP-UX Integration product. Severalnew features are added to this release to greatly enhance management of enterprise computingcenters and to help comply with strict security requirements:• Automated setup (simplified guided installation mode)

This release provides automated setup, which allows HP-UX to be quickly configured tointegrate into an LDAPdirectory server for centralized identity andOSmanagement. Guidedinstallation mode allows for one-step integration into a Windows domain or LDAP-UXdomain. Guided installationmode can also provision a newHP-UXDirectory instance witha pre-created management domain.

• SSH Host Key ManagementLDAP-UX can be used to centrally manage public keys for HP Secure Shell (ssh) hosts. Byprovisioning host public keys into the directory server, trust between hosts and users canbe pre-established, eliminating the man-in-the-middle threats. Additionally, LDAP-UXallows for central management of ssh configuration parameters.

NOTE: This feature is not supportedwhen using LDAP-UXClient ServiceswithWindowsADS.

• Offline Credential CachingLDAP-UX can use locally cached user, group, and authentication credentials when contactwith the directory server is lost, providing high availability for the OS and its applications.For patch requirements, see Section 2.2.1.5 (page 12)

• IPv6 supportLDAP-UX OS integration and management tools can now connect to directory serversthrough IPv6 addressing.

• compat mode performance enhancementFor organizations that rely on the legacy netgroup /etc/passwd filtering, the compatmodeperformance enhancement significantly improves performance when numerous and largenetgroups are used in the /etc/passwd file for controlling passwd fields.

• Local-only profile supportThe centrallymanaged LDAP-UX configuration profile uses a schema defined by RFC 4876.For environments where modification of the directory server schema is not allowed andnew schema cannot be installed, the local-only profile allows LDAP-UX to manageconfiguration on the local hosts instead of the directory server. You need to use the -loption with the customized setup program to obtain this feature.

2.1 What’s new in LDAP-UX Client Services B.05.00 9

• User Group Management Tools EnhancementsThe user and group management tools are enhanced to provide the following:— The DN of the current user as a default when prompting for a DN before binding to

the directory server.— The ability to change or reset a user's ADS password if SSL has been configured. This

includes the ability of an administrator to reset a user's password.

• pam_authz EnhancementsThe following pam_authz is enhancements have been made:— pam_authz now allows granular access control policies to be applied to individual

PAM services (such as ftp, telnet, ssh, imapd, and so forth). Different policies can beapplied to each service.

— pam_authz now supports a new action for rules. In addition to allow or deny, therequired rule means that rule must pass and remaining rules must also be processed.

— Previously, pam_authz supported twomodes, the netgroupmode, where netgroupswere specified in the /etc/passwd file, or the pam_authz.policymode, whererules were defined in the pam_authz.policy file. Those two modes were mutuallyexclusive. A new condition rule in thepam_authz.policy file nowallows bothmodes.

• LDAP Host management toolsLDAP-UX Integration B.05.00 supports two newLDAP command-line tools, ldaphostmgrand ldaphostlist, that allow you to manage information about hosts in the directoryserver, including ssh public keys. Using HP Secure Shell version 5.5 or higher, LDAP-UXssh key management can pre-establish trust between hosts.— ldaphostmgr

Use the ldaphostmgr tool to add, modify, or delete information about hosts (OSinstances) that are part of the organization. The ldaphostmgr tool uses the existingldapux(5) configuration, requiring only aminimal number of command-line optionsto discover where to search for host information, such as what directory server(s) tocontact and proper search filters for finding hosts. It also uses the existing ldapux(5)authentication configuration to determine how to bind to the LDAP directory server.ldaphostmgr can be used to centrally manage ssh public keys for hosts, and supportsattribute-mapping for attributes defined by the ipHost objectclass. Additional attributesused in a host entry (such as owner, entityRole, and so on) are not mapped.

— ldaphostlist

Use the ldaphostlist tool to display and enumerate host entries that reside in anLDAP-based directory server. Although ldaphostlist provides output similar tothe ldapsearch command, it satisfies a few specific feature requirements that allowapplications to discover and evaluate hosts stored in an LDAP directory server withoutrequiring intimate knowledge of the methods used to retrieve and evaluate thatinformation in the LDAP directory server. In addition, ldaphostlist can be used todiscover expiration information about ssh host keys if that information is managed inthe directory server.

For detailed information about tool usage, syntax, options, environment variables and returncodes supported by these tools, refer to the LDAP-UX Client Services B.05.00 Administrator'sGuide or man pages, ldaphostmgr(1M) and ldaphostlist(1M).

• The ignore option for PAM_LDAP supportIf PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (atypical configuration in the TrustedMode Environment), then when you lose access to yourdirectory server, youwill have trouble accessing the systemunless a set of so-called “recoveryusers” is configured in the /etc/pam_user.conf file. This release supports the ignore

10 LDAP-UX Client Services

option for PAM_LDAP,which enables PAM_LDAP to be completely disregarded for specificlocal users.To enable this feature, you must set the ignore option for PAM_LDAP in thepam_user.conf file for per-user configuration.When you use this option for PAM_LDAP,PAM returns PAM_IGNORE. For detailed information on how to configure and use thisfeature, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide.

• proxy_is_restricted and allowed_attribute flags added to configuration fileThe proxy_is_restricted and allowed_attribute flags are added to the [general]section of the configuration file, ldapclientd.conf:— proxy_is_restricted=yes|no

If the proxy user is configured in the LDAP-UX profile and defined in/etc/opt/ldapux/pcred, this flag attests that the proxy user does not hold privilegedLDAP credentials, meaning the proxy user is restricted in its rights to access "private"information in the directory server.

— allowed_attribute=service:attributeSome applications, like/opt/ssh/bin/ssh, useldapclientd to access informationin the directory server, such as the sshPublicKey for users and hosts. By settingallowed_attribute, applications can access any defined attribute even if theproxy_is_restricted value is set to no(the default).

These configuration parameters are required to help the ldaphostlist and ldapuglisttools determine if it is OK for them to display arbitrary attributes. If you used autosetup toconfigure LDAP-UX, these values are automatically set. If you have an existing installationor use the custom install setup program, and are also using a proxy user, you should updatethese values.

NOTE: Version 6.0.5 of the Mozilla LDAP SDK includes changes to improve compliance withthe LDAP C API specification defined by the IETF documentdraft-ietf-ldapext-ldap-c-api-05.txt. While the majority of these changes aremaintained within the SDK itself, or opaque to the applications, certain applications might beimpacted and require recompiling. For more information, see Section 2.2.1.1 (page 11)

2.2 Compatibility and installation requirements for LDAP-UX Client ServicesThis section describes compatibility and installation requirements.

2.2.1 Preparing for installation

2.2.1.1 Mozilla LDAP SDK changes and possible effect on applicationsVersion 6.0.5 of theMozilla LDAP SDK includes changes to improve compliance with the LDAPC API specification defined by the IETF documentdraft-ietf-ldapext-ldap-c-api-05.txt. These changes modify lower-level BERstructures. While the majority of these changes are maintained within the SDK itself, or opaqueto the applications, those applications that use or modify binary data stored in the directoryserver or that make direct use of non-integrated LDAP extensions or controls, will likely beimpacted. These impacted applicationswill be incompatiblewith version 6.0.5 unless re-compiled.If you have a third-party application that no longer functions after upgrading to LDAP-UXversion B.04.20 or later, contact HP support. SAP customers should review SAP Note 1451598and 541344 before installing LDAP-UX.For customers transitioning to the newer version of LDAP SDK, LDAP SDK 5.17 is provided in/opt/ldapux/lib/legacy/5. Internal versions have been added to both SDKs to help preventnewly-built applications from using the wrong LDAP library.

2.2 Compatibility and installation requirements for LDAP-UX Client Services 11

2.2.1.2 Memory requirements.This product has minimal supplementary memory and disk requirements. Beyond the memoryrequirements of the operating system and other active applications, your system should have atleast 5 MB of additional main memory, and at least 40 megabytes of free disk space under /opt.If you enable longterm enumeration caching, disk space requirements will increase by the sizeof your current user and group user data.

2.2.1.3 Hardware requirements.An HP 9000 (PA-RISC) or HP Integrity (IA64) computer system.

2.2.1.4 Operating system requirements.HP-UX 11i v1, 11i v2 or 11i v3.

2.2.1.5 Patch requirement for offline credential cache supportFor support of offline credential caching, the following patches must be installed before startingthe LDAP-UX client daemon (ldapclientd); otherwise, offline credential caching will bedisabled, even if it is configured in ldapclientd.conf:PHCO_37069 for HP-UX 11i v2PHCO_39369 for HP-UX 11i v3

2.2.1.6 Patch requirement for AutoFS with LDAP support on HP-UX 11i v2For HP-UX 11i v2, if AutoFS support is required then the patch listed in Table 2-1 is required.No patches are required for HP-UX 11i v2 without AutoFS support, or for v3.Use the following command to determine which patches are installed on your system:/usr/sbin/swlist -l product | grep PH | more

See the swlist(1M)man page for more information.Patches can be obtained from the Patch Database at the HP IT Resource Center at http://www.itrc.hp.com. If this patch is not available, contact your HP support representative for thelatest version. A patch number can be superseded at any time. The patch number in the tablewas current as of June 1, 2010.

Table 2-1 AutoFS Patch on HP-UX 11i v2

DescriptionAutomatic Reboot?PlatformPatch NumberHP-UX Version

AutoFS cumulative patch.yesWorkstation/ServerPHNE_38904HP-UX 11i v2

2.2.1.6.1 HP-UX Enhanced Publickey-LDAP requirement

Support for NIS publickey through LDAP requires functionality enhancement in LDAP-UXClient Services and an enhancement in the ONC product. ONC with publickey LDAP supportis available through the HP-UX Enhanced Publickey-LDAP Software Pack (SPK) web release.To enable the publickey LDAP support, you must install the appropriate EnhancedPublickey-LDAP software bundle listed in Table 2-2 and LDAP-UX Client Services B.04.00 orlater on your client systems. The software bundle contains all the required patches plus theenablement product for this new feature. For detailed information, see the ONC with PublickeyLDAP Support Software Pack Release Notes at the following website:http://www.hp.com/go/hpux-networking-docs (click HP-UX 11i v2 Networking Software)Navigate to NFS Services.

12 LDAP-UX Client Services

Table 2-2 Enhanced Publickey-LDAP software requirement

Release DateSoftware Bundle VersionOperating System Supported

October, 2006Enhkey B.11.23.01HP-UX 11i v2

You can download the Enhanced Publickey-LDAP software bundle from the following SoftwareDepot website:• Go to http://www.hp.com/go/softwaredepot.• Click on Enhancement releases and patch bundles.• Select the link:

— HP-UX Software Pack (Optional HP-UX 11i v2 Core Enhancements)

• Select the link:— PublicKey-LDAP (for HP-UX 11i v2)

• Select and download the following software bundle, place it to on your client system (/tmp):— Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX 11i v2

• Use swinstall to install the software bundle:— swinstall -x autoreboot=true -x reinstall=false -s

/tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.depot for HP-UX 11i v2

NOTE: If publickey support with LDAP is not required in your environment, installation ofthe Enhkey software bundle is not required.

2.2.1.6.2 Kerberos support on HP-UX 11i v2 or v3

In order to support integration with Windows Active Directory Server, the following version ofthe PAM-Kerberos product is required:C.01.25 or higher for HP-UX 11i v2D.01.25 or higher for HP-UX 11i v3If you wish to also use SASL/GSSAPI for proxied authentication, version 1.6.2.05 or later of theKerberos Client product is required, which is a replacement for the KRB5-Client components ofthe coreHP-UXOS.More specifically,HP-UX 11i v2 requiresKerberos v5Client productD.1.6.2.05or higher, and HP-UX 11i v3 requires Kerberos v5 Client product E.1.6.2.05 or higher.Please also note that the KRB5CLIENT product is a superior product to previous KRB5-Clientpatches (such as PHSS_36286). Although patch PHSS_36286 is required, and designed to installover the core Kerberos client patch, it will not overwrite the KRB5CLIENT product.Note that the autosetup program checks for the PAM-Kerberos product 1.25 or higher, andKerberos v5 Client product 1.6.2.05 or higher.Both "PAM Kerberos" (J5849AA) and "Kerberos Client" (KRB5CLIENT) products can bedownloaded from http://software.hp.com. They are available at: http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849AA andhttp://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT.

2.3 Installing and configuring the LDAP-UX Client ServicesThis section provides basic instructions for installing and configuring the LDAP-UX ClientServices. For complete installation and configuration instructions, see the LDAP-UXClient ServicesAdministrator's Guide or LDAP-UX Client Services with Microsoft Windows Active Directory ServerAdministrator's Guide.

2.3.1 Installing the LDAP-UX Client ServicesUse the SD-UX facility for installation. See the swinstall(1M) man page for details.

2.3 Installing and configuring the LDAP-UX Client Services 13

1. Log in to your system as root.2. Run swinstall and install the LDAP-UX Client Services (LdapUxClient subproduct). It

installs the product software in /opt/ldapux and /etc/opt/ldapux directories.3. If you require ONC publickey, ONC AutoFS, or integration with Active Directory Server,

please see the above section for details about required product versions and how to obtainthem. Install those products and/or patches for this step.

4. Install required patches listed above, if they have not been installed yet.

NOTE: Startingwith the LDAP-UXproduct version B.03.20 or later, system reboot is not requiredafter installing the product. Although a reboot may be required depending on the patches thatare installed at the same time as this product

2.3.2 Configuring the LDAP-UX ClientLDAP-UX B.05.00 introduces a new method for configuring LDAP-UX, known as guidedinstallation. This mode greatly simplifies the LDAP-UX installation process, but also makesseveral configuration decisions for you. And if you do not already have a directory server inyour environment, and have HP-UX Directory server installed, guided installation mode willcreate and configure a new directory server instance for you.If you already have a directory server running and you want to enable SSL or TLS support withLDAP-UX, you must configure the LDAP directory server to support SSL or TLS, and install thesecurity databases (cert8.db and key3.db) on your client before you run the setup program.For SSL or TLS setup details, refer to LDAP-UXClient Services Administrator’s Guide or LDAP-UXClient Services with Microsoft Windows Active Directory Administrator’s Guide.If your browser does not generate cert8.db and key3.db security database files, you mustexport the certificate (preferably the root certificate of the Certificate Authority that signed theLDAP server’s certificate) from your certificate server as a Base64-Encoded certificate and usethe certutilutility to create the cert8.dband key3.db security database files. Follow theinstructions in theConfiguring the LDAP-UX client to use SSL or TLS section of the LDAP-UXClientServices B.05.00 Administrator's Guide to pre-install CA certificates in the /etc/opt/ldapux/cert8.db and /etc/opt/ldapux/key3.db files.If you want to use LDAP-UX with Microsoft Windows Active Directory Server 2003 R2/2008with RFC 2307, see Section 2.3.3 (page 15) before you run setup or migration.If your name service data (user, group, and so on) have been migrated to an LDAP directory,you can set up a client system as described below. If you have not migrated your name servicedata to an LDAP directory, refer to LDAP-UX Client Services B.05.00 Administrator’s Guide forcomplete migration details.The following shows basic instructions for configuring the LDAP-UX Client Services:1. When your LDAP directory is configured and contains your name service data, you can run

the setup program or autosetup program and follow the prompts to configure your client:If you want to use customized installation mode:cd /opt/ldapux/config

./setup

NOTE: At the end of setup, you will be prompted to start/restart ldapclientd. You canchoose not to start it right away. However, you must start the daemon, ldapclientd, forLDAP-UX functions to work.

For details on running the setup program, see the LDAP-UX Client Services B.05.00Administrator’s Guide. Continue to step 2.If you want to use guided installation mode:

14 LDAP-UX Client Services

cd /opt/ldapux/config

./autosetup

After following the prompts, your installation will be complete. Thre is no need to continueto step 2. Instead continue to step 4.

2. Save a copy of /etc/pam.conf, and modify the original file to add libpam_ldap.so.1on anHP-UX 11i v2 or v3 systemwhere it is appropriate. If your system is in StandardMode,see /etc/pam.ldap for an example. If your system is in the Trusted Mode, see /etc/pam.ldap.trusted for an example.

NOTE: If you use PAM Kerberos, you must configure PAM Kerberos. On the HP-UX 11iv2 or v3 system, you need to add libpam_krb5.so.1 to /etc/pam.confwhere it isappropriate. If your system is in the TrustedMode, see LDAP-UXClient Services B.05.00 withMicrosoftWindows Active Directory Server Administrator’s Guide for the detailed configuration.The Configuration Guides for Kerberos client products are available at http://www.hp.com/go/hpux-security-docs (Click HP-UX Kerberos Data Security Software ).

3. Save a copy of /etc/nsswitch.conf file and modify the original to add ldap to supportname services. See /etc/nsswitch.ldap for an example.

4. Test your setup with a pwget (1) command and grget (1) command to ensure that theclient is reading the name services information from the LDAP directory.

5. If you use netgroup to control access to your hosts, you may wish to install and configurepam_authz. See the pam_authz (5)man page for more details.For more information on testing, troubleshooting, and shortcuts to configure additionalclients, refer to LDAP-UX Client Services B.04.15 Administrator’s Guide.

2.3.3 Configuring for use with Microsoft Windows Active Directory ServerWindows 2003 R2/2008 Active Directory Server provides the ADS 2003 R2/2008’s RFC2307schema, which is compliant with the IETF RFC2307 standard.

2.3.4 Profile format changesThe profile format has been changed in the product version B.04.10. If you previously configuredLDAP-UX B.04.00 or earlier version using the default profile /etc/opt/ldapux/ldapux_profile.ldif, and now update the product to version B.04.10 or later, the productwill automatically update /etc/opt/ldapux/ldapux_profile.bin to the new format.For the following cases, you must manually update the profile format by executing eachPROGRAM line after you update the product to version B.04.10 or later successfully:• If you previously configured LDA-UX B.04.00 or earlier version using the different profile

other than /etc/opt/ldapux/ldapux_profile.ldif, and now update the productto version B.04.10 or later.

• If you previously configured LDAP-UXB.04.00 or earlier version toworkwithADSmultipledomains, and nowupdate the product to version B.04.10 or later, youmustmanually executeeach PROGRAM line for remote domains configured in /etc/opt/ldapux/ldapux_client.conf.

For example, if /etc/opt/ldapux/ldapux_client.conf contains the following entries:Service: NSSPROFILE_ID="local"LDAP_HOSTPORT="192.10.10.10:389"PROFILE_ENTRY_DN="cn=ldapuxprof,CN=Configuration,DC=myorg,DC=mycom,DC=com"PROGRAM="/opt/ldapux/config/create_profile_cache"

PROFILE_ID="eng.myorg.mycom.com"LDAP_HOSTPORT="192.10.10.11:389"PROFILE_ENTRY_DN="cn=ldapuxprof,cn=configuration,dc=eng,dc=myorg,dc=mycom,dc=com"PROGRAM="/opt/ldapux/config/create_profile_cache \

2.3 Installing and configuring the LDAP-UX Client Services 15

-i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com"

PROFILE_ID="acct.myorg.mycom.com"LDAP_HOSTPORT="192.10.10.12:389"PROFILE_ENTRY_DN="cn=ldapuxprof,cn=configuration,dc=acct,dc=myorg,dc=mycom,dc=com"PROGRAM="/opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com"

After you update the product to version B.04.10 or later successfully, you have to executePROGRAM from the command line as follows:# /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com

# /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com\-o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com

Then you start or restart the client daemon, /opt/ldapux/bin/ldapclientd.

2.3.5 Removing the LDAP-UX Client ServicesYou can remove the LDAP-UX Client Services from your system using the SD-UX facility. Seethe swremove(1M) man page for details.1. Log in to your system as root.2. Remove ldap references from /etc/nsswitch.conf and /etc/pam.conf.3. Run swremove to remove the LDAP-UX Client Services product. For example:

On HP-UX 11i v2, run /usr/sbin/swremove J4269AAOn HP-UX 11i v3, run /usr/sbin/swremove LDAPUX

4. Remove the directories /etc/opt/ldapux and /opt/ldapux.5. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1".

WARNING! If the LDAP-UX product is removed without completing Step 5 on HP-UX11i v2 system, users will not be able to log onto the system.Follow the following steps to resolve this problem:1. Reboot the system in the single-user mode.2. Execute the “mountall” command to mount the file system.3. Complete operations specified in Step 5 above.

2.4 Problems fixed in this releaseThe following problems have been fixed in this release:• LDAP-UX could close file descriptors of a recently forked process.• ldapugdel -Owould remove description attribute• ldapugdel -Owould not remove msSFU attributes• Hang in pam_authz if a the LDAP server went down during policy evaluation• Setup would not handle a directory server that did not have a host name, if only specified

using the IP address.• Programs calling PAM functions would abort if the libpam_authz library was used and

the pam_authz.policy ended with backslash• The setup utility would report an error when attempting to discover installed schema on

Tivoli Directory Server.• ldap_proxy_configwould not properly report that a proxy user credential was invalid

if either the specified proxy user name or password was blank.

16 LDAP-UX Client Services

• ldifdiff did not properly handle the "version:" directive at the beginning of an LDIFfile.

• 64-bit applications compiled with mmap could not successfully use the name service APIs(getpwnam, and so on) nor the PAM APIs.

• ldapclientd did not properly update the mem_in_use statistic when a cache had beendisabled.

• ldifdiffwould not properly compare LDIF files if attribute names had differing case(upper/lower).

• ldapentrywould report errors when attempting to connect to the directory server whenSSL/TLS enabled.

2.4 Problems fixed in this release 17

2.5 Known problems and workarounds for LDAP-UX Client ServicesThis section describes all currently known problemswith the LDAP-UXClient Services product.• Proxy User Configuration

ProblemIf you change the authentication method from SIMPLE (with or without SSL) to SASLDIGEST-MD5 (with or without SSL), or vice versa, the proxy user will become invalid ifyou don’t update the proxy user during setup.WorkaroundThe workaround is to remove the/etc/opt/ldapux/pcred file, then run the command/opt/ldapux/config/ldap_proxy_config -i to reconfigure it.

• HostsProblemA single entry representing a host/computer in an LDAP directory can contain multiple IPaddresses for each hostname record. The /etc/hosts file, however, requires a separateentry for each IP address.WorkaroundIf the system has been configured with multiple IP addresses for the same hostname, thenthe migration script migrate_host.plwill create multiple entries in its resulting LDIFfile with the same distinguished name for hostname for each of the IP address. Sincedistinguished name need to be unique in an LDAP directory, users need to first manuallymerge the IP addresses with one designated host record and delete the duplicate records intheir LDIF file. A resulting entry might look like the following:dn: cn=machineA, ou=devices, ou=hp.comobjectClass: topobjectClass: ipHostobjectClass: device]ipHostNumber: 15.13.130.72ipHostNumber: 15.13.104.4ipHostNumber: 15.13.95.92cn: machineAcn: hpma01.cup.hp.com

Also, because LDAP server hosts are sometimes storedusing the host name in LDAP referrals,all the LDAP server host information for your network must be stored in the /etc/hostsfile if you use referrals, and wish to use LDAP-UX for resolving host names.

• Secondary GroupProblemIf a user’s secondary group is specified by x.500-style group p syntax (such as “member”,“uniquemember”) and its “DN” contains the escape character “\”, LDAP-UX fails to returnthe group. As a result, the command “id” will not show the secondary group.WorkaroundTo workaround this problem, do not use special characters in “cn” or “uid” when creatingthe user entry.

• Secondary GroupProblemIf the defaultSearchBase attribute in the LDAP-UX configuration profile is modified, itcan cause LDAP-UX to stop functioning. ldapcfinfowill report the following error:# ldapcfinfo -t passwd

ERROR: CFI_SEARCH_BASE_NOT_EXIST:

18 LDAP-UX Client Services

LDAP Error 32: Configured LDAP-UX search base does not exist.

This can occur if the serviceSearchBase uses a relative base DN, as is configured byautosetup, such as:serviceSearchDescriptor: passwd:ou=People,

WorkaroundIf you need to modify the defaultSearchBase, be sure to put the full base DN in theserviceSearchDescriptor attributes when modifying the LDAP-UX Configuration profile.

• Permissions with autosetupProblemIf autosetup is used to configure LDAP-UX, it will modify the existing /etc/krb5.conffile or create a new one if needed. If a new /etc/krb5.conf file is created, it will be setwith permissions of -rw-------. While these permissions will not prevent usage ofWindows as an authentication module for login to basic HP-UX services, it could preventusage of other Kerberized services once the user has logged in.WorkaroundTo address this problem, change the permission of the/etc/krb5.conf file to-rw-r--r--after autosetup completes. For example:chmod go+r /etc/krb5.conf

2.6 Limitations in LDAP-UX Client ServicesThe following are limitations in this version of the LDAP-UX Client Services.

2.6.1 ServicesWhen migrating Services data into the LDAP directory, users should keep in mind that onlymultiple protocols can be associated with one service name, but not multiple service ports. Forexample: the following two lines of data can be stored into server.chargen 19/tcp ttytst sourcechargen 19/udp ttytst source

However, because the port number is different, only one of the following entries can be storedin to an LDAP server:netdist 2101/tcp

-or-netdist 2102/tcp

2.6.2 /etc/pam.confHP delivers two PAM example configuration files, /etc/pam.ldapand/etc/pam.ldap.trusted, in this release. Youneed to configure/etc/pam.confproperlyfor LDAP-UX towork as expected.When you integrate LDAP-UXClient Serviceswith theHP-UXDirectory Server and your system is in Standard Mode, the pam_unix library must be definedbefore pam_ldap as they are in the /etc/pam.ldap file. If your system is in the TrustedMode,the pam_ldap library must be defined before pam_unix, and both libraries must be specifiedas "required" under "Session management". See Appendix C, “Sample /etc/pam.ldap.trustedFile”, in the LDAP-UX Client Services Administrator’s Guide for details.

2.6.3 Maximum user name length of 8 characters on a Trusted Mode systemA user logins to a Trusted Mode system on an HP-UX 11i v2 or v3 machine, HP-UX supportsthe maximum user length of eight characters.

2.6 Limitations in LDAP-UX Client Services 19

2.6.4 Long user and group name supportLDAP-UX supports long user and group name of up to 255 characters on anHP-UX 11i v3 systemwhen you explicitly enable the system for expanded user and group name feature by using thelugadmin -e command. Refer to the lugadminman page for details.On HP-UX 11i v2, the maximum length of the user or group name can be only eight characters.

2.6.5 LDAP directory interoperabilityThe LDAP-UX product has been certified under the OpenGroup’s works with LDAP 2000branding.LDAP-UX has been designed to work with any directory server that can support the RFC 2307schema or similar syntactic schema (such as the Microsoft Services For Unix 3.5 schema). TheLDAP-UX product requires the "Configuration Profile" schema, which is defined by RFC 4876,available at http://www.rfc-editor.org. at the IETF drafts web site http://www.ietf.org/ID.htmlhttp://www.ietf.org/ID.html.The "Configuration Profile" schema will be automatically installed on directory servers thatsupport online modification of the subschema subentry.The following list of directories have been tested or minimally verified.• HP-UX Directory Server for HP-UX 8.1 - Fully tested and supported• Red Hat Directory Server 8.0 for HP-UX - Verified and supported• Microsoft Windows 2003 R2/2008 Active Directory - Fully tested and supported• OpenLDAP 2.1.13a - Verified with limited support

— Manual schema installation required• Novell eDirectory 8.7 and 8.8 - Minimally verified with limited support

— Manual schema installation required— Password modification via the passwd(1) command not yet supported.

• IBM IDS 6.2 - Verified and supported— Manual schema installation required

• Oracle Internet Directory 9.04 - Minimally verified— Required to index all attributes— Bypass setupwith ldapmodify to manually load the profile schema

• Computer Associates eTrust 4.0 - Minimally verified— Manual schema installation required

• Sun SunOne 6.3 - Minimally verifiedIf you have another directory, you may be able to use that directory if it meets the followingrequirement:• Supports version 3 of the LDAP specification as defined by IETF RFCs 2251 through 2256• Supports the Posix name service schema (RFC 2307) or a similar schema• The schema can be extended to include the DUAConfigProfile object classes and required

attributes (see above)• For security, the directory should support an access control mechanism that can restrict

modification rights of entries and attributes to specific users• For security, the directory should support at least ldap_simple_bind authentication

2.6.6 Supported name service databases• LDAP-UX Client Services using HP-UX Directory Server supports the following name

services data:— passwd

20 LDAP-UX Client Services

— group— netgroup— automount— publickey— services— rpc— hosts— networks— protocols— user-defined maps

• LDAP-UX Client Services using Windows 2003 R2/2008Active Directory Server currentlysupports passwd, group, hosts, protocols, automount, networks, rpc, and services in a singledomain, and supports only passwd and group in multiple domains. It does not supportnetgroup and publickey service data.

• The LDAP-UX Client Services daemon, /opt/ldapux/bin/ldapclientd, caches onlypasswd, group, netgroup, automount service data.

2.6.7 Duplicated data entries in ADS multiple domainsTo better integrate with HP-UX, it is highly recommended that youmaintain unique user namesand uid numbers in the forest, or undesired behaviors may occur. For example:• If an ADS Global Catalog server is configured to retrieve data from remote domains,

LDAP-UX won’t return data if there are duplicate entries in any remote domains• For users having the same user name in multiple domains, LDAP-UXmay return user data

from a different domain if the original domain controller fails• A user may not be able to change their password if his/her uid number is not unique in the

forest

2.6.8 Limitations of printer configurator• The new LDAP printer schema based on /etc/opt/ldapux/schema/RFC3712.xml is

imported into the HP-UX Directory Server to create the printer objects.• The LDAP-UX Client Services only supports the HP LP spooler system, network printers,

and printer servers that support the Line Printer Daemon (LPD) protocol. The printerconfigurator does not support local printers.

• In a global management environment, it is hard to determine a default printer for theindividual client system. The LDAP printer configurator treats every printer entry as theregular printer. The administrator or user is required tomanually select a printer as a defaultprinter for the client system.

2.6.9 Unsupported commandsThe following HP-UX commands currently do not work with LDAP-UX Client Services:

Table 2-3 Unsupported HP-UX Commands

Does not change the “finger” information for users in thedirectory. See the finger(1) man page.

chfn(1)

Does not change the login shell for users in the directory.chsh(1)

The System Administration Manager (SAM) does notmanage name service information in the directory.However, the SystemManagementHomepage, smh(1M),provides similar capabilities in HP-UX 11i v3 with fulland integrated support for LDAP.

sam(1M)

2.6 Limitations in LDAP-UX Client Services 21

Table 2-3 Unsupported HP-UX Commands (continued)

These commands do not manage user information in thedirectory. However, similar commands, ldapugadd,ldapugdel, and ldapugmod support LDAP user andgroup operations with similar parameters.

useradd(1M),userdel(1M),usermod(1M)

These commands do not manage group information inthe directory. However, similar commands, ldapugadd,ldapugdel, and ldapugmod support LDAP user andgroup operations with similar parameters.

groupadd(1M),groupdel(1M),groupmod(1M)

Additional tools are available to perform management in the LDAP directory and include:ldaphostmgr, ldaphostlist, ldapmodify, ldapsearch, ldapdelete, and ldapentry.

2.6.10 Clear text passwordslogin(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over thenetwork unless SSL, TLS, or SASL Digest-MD5 authentication is enabled with setup. To supportSASL/DIGEST-MD5, some directory server products (including HP-UX Directory Server) storethe password in clear text. By default, when using customized install mode, SSL andSASL/DIGEST-MD5 authentication is disabled. Using SSL or TLS (a default when using guidedinstallationmode) allows passwords to be stored in any format on the directory server (includingthe Salted Secure Hash Algorithm, SSHA), and also protects password transmission over thenetwork.

2.6.11 Man page for ldapclientd.confLimitations in the man command require specifying the section number as man 4ldapclientd.conf to view the man page for ldapclientd.conf. If the section number 4is not specified, the ldapclientd man page will appear instead.

2.6.12 LDAP security policy enforcementWith LDAP directory servers that support security policies (such as account or passwordexpiration), it is possible for HP-UX logins to adhere to these polices.The design of the LDAPprotocol enforces both authentication and security polices in the same operation (ldap_bind).The design of the PAM subsystem separates authentication and security policy enforcement intotwo separateAPIs, as configured under the "auth" and "account" portions of the /etc/pam.conffile. Because of these design differences, administrators need to be aware that it’s not possibleto use libpam_ldap for either just authentication or just security policy enforcement. Forexample, it is not possible to use ssh publickeys for authentication, and then use libpam_ldapfor account policy enforcement, since libpam_ldap does not have a password with which itcan use to bind to the directory server. The same is true if Kerberos is used for authentication;libpam_ldap cannot be used for security policy enforcement alone.Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account andpassword security policy enforcementwithout requiring LDAP-based authentication. This featuresupports applications, SSH (Secure Shell) or r-commandswith .rhost enabledwhere authenticationis performed by the command itself.

2.6.13 SASL/GSSAPI profile download supportThe current release of LDAP-UX does not support downloading of the LDAP-UX profileautomatically, when usedwith SASL/GSSAPI authentication, and that authentication uses a hostor service principal, where that principal’s key is stored in a Kerberos keytab file.This limitationimpacts the ability of the LDAP-UX product to support the "profile time to live" feature, whichautomatically will re-download a profile after it’s profileTTL time period has expired.

22 LDAP-UX Client Services

In this situation, profiles can still be downloaded manually using the get_profile_entrycommand, as long as a principal and password provided on the command line.The followingcommand shows an example of how to download the profile manually. If your profile changesfrequently, you may wish to place this in a script that is called periodically by cron:/opt/ldapux/config/get_profile_entry -s NSS -D \ "<administrator@my.domain.org>" -w "<adminpassword>"

2.6.14 Changing authentication methodsIf you wish to switch from your current authentication method, such as SIMPLE orSASL/DIGEST-MD5 to SASL/GSSAPI, TLS:SIMPLEor TLS:SASL/DIGEST-MD5, youmust restartthe ldapclientd daemon after making the configuration changes. This step is required to assurethat the proper GSS API, Kereros and/or SSL initialization is completed.

2.6.15 Supported features for particular directory serversThe following shows the supported features for particular directory servers:Feature HP-UX Directory Microsoft ADS-------------------------------------------------------------passwd name service Supported Supportedgroup name service Supported Supportednetgroup name service Supported Not Supportedhosts name service Supported Supportednetworks name service Supported Supportedprotocols name service Supported Supportedrpc name service Supported Supportedautomount name service Supported Not Supportedaliases name service Not Supported[1] Not Supportedservices name service Supported Supportedpublickey name service Supported Not Supportedprinter configurator Supported Not Supported[2]pam_authz Supported Supported[3]X.500-style group syntax Supported Supportedpam_ldap Supported Not Supported[4]Trusted Mode Security[5] Supported SupportedStandard Mode Security Supported SupportedLDAP Command-line Utils. Supported Supportedldapentry editor tool Supported Supporte NIS Migration Tools Supported SupportedNIS+ Migration Tools Supported SupportedMultiple Domains Not Supported SupportedNIS/LDAP Gateway Supported Not SupportedAuthentication Methods Simple Password NSS[6] & PAM[7] NSS Only SASL/DIGEST-MD5 NSS & PAM NSS Only SASL/GSSAPI Not Supported NSS Only SSL Server Certs. NSS & PAM NSS Only SSL Client Certs. Not Supported Not SupportedCaching passwd Supported Supported group Supported Supported netgroup Supported Not Supported X.500-style group- Supported Supported membership

NOTE:1. Equivalent feature available directly in sendmail.2. The setup program does not support configuration of ADS-based printers. If the printer

entry in ADS contains a "printer-uri" type attribute (see RFC3712) the configuration profilecan be modified to change the attribute mapping forprinter-name and printer-uri tomatch that of printer descriptions in ADS. However this feature is not officially supported.

2.6 Limitations in LDAP-UX Client Services 23

3. netgroups may not be stored in ADS.4. pam_kerberos has been integrated with LDAP to fully support Windows domain

authentication and should be used instead of pam_ldap.5. LDAP-UXsupports coexistenceTrustedMode andStandardMode security features. Identities

stored in the local host are controlled by the local security policy. Identities stored in anLDAP directory are controlled by the LDAP security policy.

6. NSS refers to the Name Service Subsystem, such as passwd, group, etc... For moreinformation, refer to the nsswitch.conf(4)man page.

7. PAMrefers to the PluggableAuthenticationModule subsystem. Formore information, referto the pam(3)man page.

2.6.16 Additional limitations with Active Directory• ldapentry Not Certified for Active Directory

ldapentry, a new client administration tool to simplify adding, modifying, and deletingdatabase entries is not certified for use with Active Directory.

• Limited Name Service Database Support for multiple DomainsLDAP-UXClient Services, usingWindows 2003R2/2008ActiveDirectory ServerwithmultipleDomains, currently only supports the passwd and group name services.

• Posix Password SupportPosix password (defined as userPassword in RFC 2307, and msSFUPassword in SFU 2.0) isnot certified.

• User and Group MigrationsAMAccountNamemust be unique across the entire domain. This attribute, used forpre-Windows 2000 clients, is set by the migration scripts to the value of the common name(CN).For example, if a new group in a different section of the dictionary is created to contain allUNIX users and the common name (CN) of this group is a duplicate of an existing name,the migration will fail because the sAMAccountName attribute is not unique. You can workaround this limitation bymodifying the LDIF file to use a unique value forsAMAccountName.

• Support of Referrals with Active DirectoryReferrals with Active Directory are currently not certified.

• Changing the Password for a Disabled UserWhen a userwhose account is stored inADS is disabled by setting thedisable_uid_rangeflag in the /etc/opt/ldapux_client.conf file on an HP-UX client system, andPAM_Kerberos is used as the authenticating method, the passwd commandwill allow youto change the password for the disabled user, since LDAP does not control this subsystem.

24 LDAP-UX Client Services

3 NIS/LDAP GatewayThis section provides information about known problems fixed in NIS/LDAP gateway,compatibility and installation requirements, aswell as limitations inNIS/LDAPGateway B.04.10.The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, theNIS server. This software caches theNIS data tomaintain good performance.NIS/LDAPGatewayis compatible with the RFC2307 specification (a schema for storing Posix account andadministration data in an LDAP directory).Because the NIS/LDAP Gateway software emulates a ypserv, your NIS clients can start using anLDAP directory without modification. However, with this software you cannot modify yourLDAP account information from anNIS client (that is, you cannot use chfn(1), chsh(1) or passwd(1)to change your account information). To achieve this, install the LDAP Client AdministrationTools (NisLdapClient subproduct) on some or all of your NIS clients.

3.1 Compatibility and installation requirements for NIS/LDAP GatewayThis section provides basic instructions for installing the NIS/LDAP Gateway. For completeinstallation and configuration instructions, refer to NIS/LDAP Gateway Administrator’s Guide.

3.1.1 Hardware requirementsAn HP 9000 or HP ia64 computer system.

3.1.1.1 Memory requirementsThis product has minimal memory and disk requirements. Your system should have at least 32MB of main memory, and at least five megabytes of free disk space under /opt.Depending on the size of your NIS maps and if you wish to cache that data in the NIS/LDAPGateway server, you will need additional physical main memory, approximately two to threetimes the total size of your existing NIS maps.

3.1.2 Operating system requirementHP-UX 11i v2 and v3 on HP IA64.

3.1.3 Patch requirementsThe NIS/LDAP Gateway software has no specific patch requirements.

3.1.4 Preparing for installationVerify you have at least five megabytes of free disk space under /opt.

3.1.5 Installing the NIS/LDAP GatewayUse the SD-UX facility for installation. See the swinstall(1M) man page for details.1. Log in to your system as root.2. If a ypldapd server is already running on your system, terminate it with the kill(1) command.3. Run swinstall and install the NisLdapServer product. This installs the product software

int he /opt/ldapux directory. No reboot is required.

3.1.6 Configuration quick startIf your NIS maps have been migrated to an LDAP directory, you can set up a ypldapd serverwith only a few steps. If you have not migrated your NIS maps to the LDAP directory, seeInstalling and Administering NIS/LDAP Gateway.

3.1 Compatibility and installation requirements for NIS/LDAP Gateway 25

• If you have already configured other NIS/LDAPGateway servers on other systems, you cansimply duplicate the configuration file /opt/ldapux/ypldapd/etc/ypldapd.conf on the localsystem.

• Otherwise, edit the file /opt/ldapux/ypldapd/etc/ypldapd.conf and add the appropriatevalues according to the descriptions in the file. Minimally you will need to update theypdomain, ldaphost, basedn, binddn and bindcred parameters. If you have a large LDAPdatabase and you are using 11i v2 or v3 NIS clients, you should set preload_maps topreload_maps group.bynam. The user you identify in the binddn must be an LDAPdirectory user that is allowed to read the userPassword attribute.

• If the NIS domain you use is the same as the domain being used by an existing NIS server,you must stop and disable the NIS server. You can do this by executing the command/sbin/init.d/nis.server stop to stop the NIS server. Then changeNIS_SLAVE_SERVER and NIS_MASTER_SERVER to 0 in the file /etc/rc.config.d/namesvrs.

Once your NIS/Gateway server is running, you can test your setup with a ypcat(1) command,such as ypcat group. Youmay need towait (up to aminute) as the ypbind(1M) process attemptsto find the newNIS/LDAPGateway server. To avoid this wait, you can stop and restart the clientas follows before issuing the ypcat command:/sbin/init.d/nis.client stop/sbin/init.d/nis.client start

3.2 Installing and configuring LDAP Client administration toolsThis section provides basic instructions for installing the LDAPClient Administration Tools. Forcomplete installation and configuration instructions, seeNIS/LDAPGatewayAdministrator’s Guide.

3.2.1 Configuration quick startThis product does not require any specific configuration. However, once you have installed theproduct, read the file /opt/ldapux/bin/README-ADMIN for instructions on how to simplifyLDAP directory administration from your LDAP-UX or NIS/LDAP Gateway clients.You may also wish to create a front-end script to the ldappasswd command, to hide the LDAPdirectory from the average HP-UX user.Below are two examples you can cut and paste into a passwd shell script and then modify foryour environment:#!/usr/bin/ksh/opt/ldapux/bin/ldappasswd -b "your_base_DN" -h "ldap_server_host_name" \-p "ldap_port"

#!/usr/bin/ksh/opt/ldapux/bin/ldappasswd -b "ou=people,o=hp.com" \-h "dirserver.lab.hp.com" -p 389

3.3 Known problems and workaroundsKnown ProblemIf the NIS Client is on same box as ypldapd, it can bind to wrong server.WorkaroundIf you want NIS Clients to bind with specific ypldapd or NIS Server, configure your client’s boxas follows: Specify "YPSET_ADDR=machine’s name" in theetc/rc.config.d/namesrvs file.

26 NIS/LDAP Gateway

3.4 Limitations in NIS/LDAP GatewayThe following are limitations in this version of the NIS/LDAP Gateway.• Crypt Passwords

The NIS/LDAP Gateway product requires that user passwords be stored in the directoryserver in the same format as stored in an /etc/passwd file. This is known as “Unix Crypt”format. If your directory server does not understand the {crypt} data type, you can still usethe NIS/LDAP Gateway server. However, these users will not be able to authenticate to thedirectory server. One side effect is that users will not be able to change their own passwords(although a directory administrator could accomplish this on a user’s behalf.) Also, otherLDAP enabled applications may not work correctly.

• Modifying Data in the DirectoryYou cannot use the chfn(1) and chsh(1) and passwd(1) commands to modify data in thedirectory.

• NIS and NIS/LDAP GatewayYou cannot run an NIS server (ypserv) and an NIS/LDAP Gateway server (ypldapd)simultaneously on the same system.

• Shadow Passwords Not SupportedYou must set the hide_passwords parameter to “no” in the ypldapd.conf file becauseshadow passwords are not supported. See Installing and Administering NIS/LDAP Gatewayfor details.

• Use Preloaded Maps instead of ypall_cachingYou should use the preload_maps parameter to preload maps into the cache instead ofypall_caching. Use of ypall_caching can cause a performance bottleneck in theypldapd server. Formore information, see “Caching” in Installing andAdministeringNIS/LDAPGateway.

3.4 Limitations in NIS/LDAP Gateway 27

28

4 Support and other resources4.1 Contacting HP

HP encourages your comments concerning this document. We are truly committed to providingdocumentation that meets your needs.To make comments and suggestions about product documentation, send a message to:http://www.hp.com/bizsupport/feedback/ww/webfeedback.htmlPlease include document title, manufacturing part number, and any comment, error found, orsuggestion for improvement you have concerning this document. Also, please include what wedid right so we can incorporate it into other documents.

NOTE: HP cannot provide product support through this email address. To obtain productsupport, contact your HP Support Representative, your HP Services Representative, or yourauthorized HP reseller. For more information about support services, see the support website:http://www.hp.com/go/support

For other ways to contact HP, see the Contact HP website:http://welcome.hp.com/country/us/en/contact_us.html

4.1 Contacting HP 29

4.2 DocumentationThe documentation below is available on the HP-UX Documentation web site at http://www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software) or whereindicated.

Table 4-1 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway

DescriptionTitle

How to install, configure, administer, tune and troubleshoot the LDAP-UXClient Services. (part number J4269-90086)

LDAP-UX Client Services B.05.00Administrator’s Guides

How to install, configure, administer, tune, and troubleshoot the LDAP-UXClient Services with Windows Active Directory Server. (part numberJ4269-90087)

LDAP-UX Client Services B.05.00 withMicrosoft Windows Active Directory ServerAdministrator’s Guide

Describes the latest changes, and knownproblems in the LDAP-UXClientServices. (part number J4269-90088)

LDAP-UX Integration Product B.05.00Release Notes (this document)

How to install, configure, administer, tune and troubleshoot theNIS/LDAPGateway. (part number J4269-90028)

NIS/LDAPGateway Administrator’s Guide

• (/opt/ldapux/README-LdapUxClient) briefly describes the installation,late changes, and known problems in LDAP-UX Client Services

• (/opt/ldapux/README-NisLdap) briefly describes the NIS/LDAPGateway

• (/opt/ldapux//bin/README-ADMIN) briefly describes the instructionson how to simplify LDAP directory administration from LDAP-UXclients

README files

4.2.1 Related documentation• HP-UX Directory Server and Red Hat Directory Server for HP-UX Administrator’s Guides and

other titles available at: http://www.hp.com/go/hpux-security-docs• Various white papers related to LDAP-UX are available at: http://www.hp.com/go/

hpux-security-docs (Click HP-UX LDAP-UX Integration Software)• Preparing your LDAP Directory for HP-UX Integration White Paper available at: http://

www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software)• Integrating HP-UX Account Management and Authentication with LDAP White Paper available

at: http://www.hp.com/go/hpux-security-docs (ClickHP-UXLDAP-UX Integration Software)• Manual pages using theman(1) command ypldapd(8), ypserv(1M), ypfiles(4) and other related

NIS man pages• RFC 2307 describing the schema for Posix naming information is available at:

http://www.ietf.org/rfc/rfc2307.txt• NFS Services Administrator’s Guide discusses NIS, available at:

http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02153184/c02153184.pdfFor more information about LDAP-UX Integration and related products and solutions, visit thefollowing HP website:http://h71028.www7.hp.com/enterprise/us/en/os/hpux11i-security-components.html

4.3 Typographic conventionsThis document uses the following typographical conventions:Book Title Title of a book or other document.http://www.hp.com

A website address that is a hyperlink to the site.

Emphasis Text that is emphasized.

30 Support and other resources

Bold Text that is strongly emphasized.The defined use of an important word or phrase.

Command Command name or qualified command phrase.user input Commands and other text that you type.computeroutput

Text displayed by the computer.Name of a daemon, parameter, or parameter option.

variable The name of an environment variable, for example PATH or errno.value A value that you may replace in a command or function, or information in

a display that represents several possible values.[ ] The contents are optional in formats and command descriptions.{ } The contents are required in formats and command descriptions.| Separates items in a list of choices. In the following example, you must

specify either item-a or item-b:{item-a | item-b}

\ The continuous line symbol.find(1) HP-UX manpage. In this example, “find” is the manpage name and “1” is

the manpage section.Enter The name of a keyboard key. Note that Return and Enter both refer to the

same key. A sequence such as Ctrl+A indicates that you must hold downthe key labeled Ctrl while pressing the A key.

4.3 Typographic conventions 31