LDAP-UX Integration B.05.

00 Release Notes
HP-UX 1 1i v2 and v3

HP Part Number: J4269-90088 Published: June 2010 Edition: 1.0

 Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP CIFS Server is derived from the Open Source Samba product and is subject to the GPL license. Trademark Acknowledgements of Microsoft Corporation. UNIX is a registered trademark of The Open Group. Microsoft and Windows are U.S. registered trademarks

Table of Contents
1 LDAP-UX integration overview.......................................................................................7
1.1 LDAP-UX Client Services overview..................................................................................................7 1.2 NIS/LDAP Gateway overview..........................................................................................................7 1.3 LDAP Client Administration Tools overview...................................................................................8

2 LDAP-UX Client Services.................................................................................................9

2.1 Whats new in LDAP-UX Client Services B.05.00.............................................................................9 2.2 Compatibility and installation requirements for LDAP-UX Client Services..................................11 2.2.1 Preparing for installation........................................................................................................11 2.2.1.1 Mozilla LDAP SDK changes and possible effect on applications...................................11 2.2.1.2 Memory requirements. ...................................................................................................12 2.2.1.3 Hardware requirements..................................................................................................12 2.2.1.4 Operating system requirements......................................................................................12 2.2.1.5 Patch requirement for offline credential cache support..................................................12 2.2.1.6 Patch requirement for AutoFS with LDAP support on HP-UX 11i v2...........................12 2.2.1.6.1 HP-UX Enhanced Publickey-LDAP requirement...................................................12 2.2.1.6.2 Kerberos support on HP-UX 11i v2 or v3...............................................................13 2.3 Installing and configuring the LDAP-UX Client Services..............................................................13 2.3.1 Installing the LDAP-UX Client Services.................................................................................13 2.3.2 Configuring the LDAP-UX Client ..........................................................................................14 2.3.3 Configuring for use with Microsoft Windows Active Directory Server ................................15 2.3.4 Profile format changes.............................................................................................................15 2.3.5 Removing the LDAP-UX Client Services................................................................................16 2.4 Problems fixed in this release..........................................................................................................16 2.5 Known problems and workarounds for LDAP-UX Client Services...............................................18 2.6 Limitations in LDAP-UX Client Services........................................................................................19 2.6.1 Services....................................................................................................................................19 2.6.2 /etc/pam.conf ..........................................................................................................................19 2.6.3 Maximum user name length of 8 characters on a Trusted Mode system...............................19 2.6.4 Long user and group name support.......................................................................................20 2.6.5 LDAP directory interoperability.............................................................................................20 2.6.6 Supported name service databases.........................................................................................20 2.6.7 Duplicated data entries in ADS multiple domains.................................................................21 2.6.8 Limitations of printer configurator ........................................................................................21 2.6.9 Unsupported commands.........................................................................................................21 2.6.10 Clear text passwords.............................................................................................................22 2.6.11 Man page for ldapclientd.conf.....................................................................................22 2.6.12 LDAP security policy enforcement.......................................................................................22 2.6.13 SASL/GSSAPI profile download support.............................................................................22 2.6.14 Changing authentication methods........................................................................................23 2.6.15 Supported features for particular directory servers..............................................................23 2.6.16 Additional limitations with Active Directory ......................................................................24

3 NIS/LDAP Gateway ...................................................................................................25

3.1 Compatibility and installation requirements for NIS/LDAP Gateway...........................................25 3.1.1 Hardware requirements..........................................................................................................25 3.1.1.1 Memory requirements.....................................................................................................25 3.1.2 Operating system requirement...............................................................................................25 3.1.3 Patch requirements..................................................................................................................25
Table of Contents 3

3.1.4 Preparing for installation........................................................................................................25 3.1.5 Installing the NIS/LDAP Gateway..........................................................................................25 3.1.6 Configuration quick start........................................................................................................25 3.2 Installing and configuring LDAP Client administration tools.......................................................26 3.2.1 Configuration quick start........................................................................................................26 3.3 Known problems and workarounds...............................................................................................26 3.4 Limitations in NIS/LDAP Gateway.................................................................................................27

4 Support and other resources.......................................................................................29

4.1 Contacting HP.................................................................................................................................29 4.2 Documentation................................................................................................................................30 4.2.1 Related documentation...........................................................................................................30 4.3 Typographic conventions................................................................................................................30

Table of Contents

List of Tables
2-1 2-2 2-3 4-1 AutoFS Patch on HP-UX 11i v2.....................................................................................................12 Enhanced Publickey-LDAP software requirement.......................................................................13 Unsupported HP-UX Commands.................................................................................................21 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................30

1 LDAP-UX integration overview

The LDAP-UX Integration product integrates HP-UX systems with an LDAP directory. Specifically this product allows HP-UX client systems to use an LDAP directory as its repository for name service data. LDAP-UX Integration enables the LDAP directory to be used as a single source repository for HP-UX authentication, authorization, user data, and account management. This product consists of two components: LDAP-UX Client Services - This software enables HP-UX clients to access name service information in an LDAP directory server. pam_authz and the Mozilla LDAP C SDK are two subproducts of this product. NIS/LDAP Gateway Server - NIS/LDAP Gateway is a Network Information Service (NIS) that uses an LDAP directory as its information data store instead of NIS maps.

The LDAP-UX Integration product does not include an LDAP directory server. You can obtain the HP-UX Directory Server and Red Hat Directory Server for HP-UX from http:// www.hp.com/go/softwaredepot or from your local HP sales office. This release notes contains information about LDAP-UX Client Services and NIS/LDAP Gateway subproducts. The LDAP-UX Client Services section of this document includes the following information: Whats New in LDAP-UX Client Services B.05.00 Compatibility and Installation Requirements for LDAP-UX Client Services Documentation Known Problems and Workarounds Limitations in LDAP-UX Client Services Compatibility and Installation Requirements for NIS/LDAP Gateway Known Problems and Workarounds Limitations in NIS/LDAP Gateway

The NIS/LDAP Gateway section of this document includes the following information:

1.1 LDAP-UX Client Services overview

LDAP-UX Client Services simplifies HP-UX system administration by consolidating account, group and other configuration information into a central LDAP directory server. The LDAP-UX Client Services product works with a variety of LDAP v3 capable directory servers and is fully tested with the HP-UX Directory Server /Red Hat Directory Server and the Windows 2003 R2/2008 Active Directory Servers. NOTE: LDAP-UX Client Services using Windows 2003 R2 or 2008 Active Directory Server does not support netgroup and publickey service data. IMPORTANT: HP strongly recommends that customers currently using LDAP-UX product version B.04.10 or earlier upgrade to version B.05.00 or later. For detailed information on new and changed features and known problems fixed in this release of LDAP-UX Client Services, as well as compatibility and installation requirements and limitations in LDAP-UX Client, see LDAP-UX Client Services (page 9) .

1.2 NIS/LDAP Gateway overview

The NIS/LDAP Gateway Server (NisLdapServer subproduct) software helps HP-UX servers and workstations more closely integrate with an LDAP directory. Specifically this product allows an
1.1 LDAP-UX Client Services overview 7

NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features. For detailed information on known problems fixed in this release of NIS/LDAP Gateway, as well as compatibility and installation requirements and limitations in NIS/LDAP Gateway, see NIS/LDAP Gateway (page 25).

1.3 LDAP Client Administration Tools overview

The LDAP Client Administration Tools (NisLdapClient subproduct) is a sub-component of the LdapUxClient. This tool set can help you manage user, group, and other information in an LDAP directory. This sub-component contains the following files: Migration scripts can be used to convert NIS, NIS+ maps or corresponding /etc files into LDIF files and import them into an LDAP directory server. LDAP User and Group management tools: A set of the LDAP command-line tools that allow you to manage user and group information in an LDAP directory server. These LDAP tools are ldapuglist, ldapugadd, ldapcfinfo, ldapugmod and ldapugdel. Basic LDAP administration tools: ldapmodify, ldapsearch, ldapdelete,ldapentry, and ldappasswd. A contributed set of entry management tools that allow you to create or modify directory entries.

Because the NIS/LDAP Gateway software emulates an NIS server, your NIS clients can start using an LDAP directory server without installing this sub-component. However you may want to install the LDAP Client Administration Tools on your NIS clients to allow your users to modify their directory data, such as changing their password.

LDAP-UX integration overview

2 LDAP-UX Client Services

This section contains the following information about LDAP-UX Client services B.05.00: Whats New in LDAP-UX Client Services B.05.00 Known Problems Fixed in LDAP-UX Client Services Compatibility and Installation Requirements for LDAP-UX Client Services Documentation Known Problems and Workarounds Limitations in LDAP-UX Client Services

2.1 Whats new in LDAP-UX Client Services B.05.00

LDAP-UX Client Services B.05.00 is a major update to the LDAP-UX Integration product. Several new features are added to this release to greatly enhance management of enterprise computing centers and to help comply with strict security requirements: Automated setup (simplified guided installation mode) This release provides automated setup, which allows HP-UX to be quickly configured to integrate into an LDAP directory server for centralized identity and OS management. Guided installation mode allows for one-step integration into a Windows domain or LDAP-UX domain. Guided installation mode can also provision a new HP-UX Directory instance with a pre-created management domain. SSH Host Key Management LDAP-UX can be used to centrally manage public keys for HP Secure Shell (ssh) hosts. By provisioning host public keys into the directory server, trust between hosts and users can be pre-established, eliminating the man-in-the-middle threats. Additionally, LDAP-UX allows for central management of ssh configuration parameters. NOTE: ADS. This feature is not supported when using LDAP-UX Client Services with Windows

Offline Credential Caching LDAP-UX can use locally cached user, group, and authentication credentials when contact with the directory server is lost, providing high availability for the OS and its applications. For patch requirements, see Section 2.2.1.5 (page 12)

IPv6 support LDAP-UX OS integration and management tools can now connect to directory servers through IPv6 addressing.

compat mode performance enhancement For organizations that rely on the legacy netgroup /etc/passwd filtering, the compat mode performance enhancement significantly improves performance when numerous and large netgroups are used in the /etc/passwd file for controlling passwd fields.

Local-only profile support The centrally managed LDAP-UX configuration profile uses a schema defined by RFC 4876. For environments where modification of the directory server schema is not allowed and new schema cannot be installed, the local-only profile allows LDAP-UX to manage configuration on the local hosts instead of the directory server. You need to use the -l option with the customized setup program to obtain this feature.

2.1 Whats new in LDAP-UX Client Services B.05.00

User Group Management Tools Enhancements The user and group management tools are enhanced to provide the following: The DN of the current user as a default when prompting for a DN before binding to the directory server. The ability to change or reset a user's ADS password if SSL has been configured. This includes the ability of an administrator to reset a user's password.

pam_authz Enhancements The following pam_authz is enhancements have been made: pam_authz now allows granular access control policies to be applied to individual PAM services (such as ftp, telnet, ssh, imapd, and so forth). Different policies can be applied to each service. pam_authz now supports a new action for rules. In addition to allow or deny, the required rule means that rule must pass and remaining rules must also be processed. Previously, pam_authz supported two modes, the netgroup mode, where netgroups were specified in the /etc/passwd file, or the pam_authz.policy mode, where rules were defined in the pam_authz.policy file. Those two modes were mutually exclusive. A new condition rule in the pam_authz.policy file now allows both modes.

LDAP Host management tools LDAP-UX Integration B.05.00 supports two new LDAP command-line tools, ldaphostmgr and ldaphostlist, that allow you to manage information about hosts in the directory server, including ssh public keys. Using HP Secure Shell version 5.5 or higher, LDAP-UX ssh key management can pre-establish trust between hosts. ldaphostmgr Use the ldaphostmgr tool to add, modify, or delete information about hosts (OS instances) that are part of the organization. The ldaphostmgr tool uses the existing ldapux(5) configuration, requiring only a minimal number of command-line options to discover where to search for host information, such as what directory server(s) to contact and proper search filters for finding hosts. It also uses the existing ldapux(5) authentication configuration to determine how to bind to the LDAP directory server. ldaphostmgr can be used to centrally manage ssh public keys for hosts, and supports attribute-mapping for attributes defined by the ipHost objectclass. Additional attributes used in a host entry (such as owner, entityRole, and so on) are not mapped. ldaphostlist Use the ldaphostlist tool to display and enumerate host entries that reside in an LDAP-based directory server. Although ldaphostlist provides output similar to the ldapsearch command, it satisfies a few specific feature requirements that allow applications to discover and evaluate hosts stored in an LDAP directory server without requiring intimate knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server. In addition, ldaphostlist can be used to discover expiration information about ssh host keys if that information is managed in the directory server. For detailed information about tool usage, syntax, options, environment variables and return codes supported by these tools, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide or man pages, ldaphostmgr(1M) and ldaphostlist(1M).

The ignore option for PAM_LDAP support If PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a typical configuration in the Trusted Mode Environment), then when you lose access to your directory server, you will have trouble accessing the system unless a set of so-called recovery users is configured in the /etc/pam_user.conf file. This release supports the ignore

10

LDAP-UX Client Services

option for PAM_LDAP, which enables PAM_LDAP to be completely disregarded for specific local users. To enable this feature, you must set the ignore option for PAM_LDAP in the pam_user.conf file for per-user configuration. When you use this option for PAM_LDAP, PAM returns PAM_IGNORE. For detailed information on how to configure and use this feature, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide. proxy_is_restricted and allowed_attribute flags added to configuration file The proxy_is_restricted and allowed_attribute flags are added to the [general] section of the configuration file, ldapclientd.conf: proxy_is_restricted=yes|no If the proxy user is configured in the LDAP-UX profile and defined in /etc/opt/ldapux/pcred, this flag attests that the proxy user does not hold privileged LDAP credentials, meaning the proxy user is restricted in its rights to access "private" information in the directory server. allowed_attribute=service:attribute Some applications, like /opt/ssh/bin/ssh, use ldapclientd to access information in the directory server, such as the sshPublicKey for users and hosts. By setting allowed_attribute, applications can access any defined attribute even if the proxy_is_restricted value is set to no(the default). These configuration parameters are required to help the ldaphostlist and ldapuglist tools determine if it is OK for them to display arbitrary attributes. If you used autosetup to configure LDAP-UX, these values are automatically set. If you have an existing installation or use the custom install setup program, and are also using a proxy user, you should update these values. NOTE: Version 6.0.5 of the Mozilla LDAP SDK includes changes to improve compliance with the LDAP C API specification defined by the IETF document draft-ietf-ldapext-ldap-c-api-05.txt. While the majority of these changes are maintained within the SDK itself, or opaque to the applications, certain applications might be impacted and require recompiling. For more information, see Section 2.2.1.1 (page 11)

2.2 Compatibility and installation requirements for LDAP-UX Client Services

This section describes compatibility and installation requirements.

2.2.1 Preparing for installation

2.2.1.1 Mozilla LDAP SDK changes and possible effect on applications
Version 6.0.5 of the Mozilla LDAP SDK includes changes to improve compliance with the LDAP C API specification defined by the IETF document draft-ietf-ldapext-ldap-c-api-05.txt. These changes modify lower-level BER structures. While the majority of these changes are maintained within the SDK itself, or opaque to the applications, those applications that use or modify binary data stored in the directory server or that make direct use of non-integrated LDAP extensions or controls, will likely be impacted. These impacted applications will be incompatible with version 6.0.5 unless re-compiled. If you have a third-party application that no longer functions after upgrading to LDAP-UX version B.04.20 or later, contact HP support. SAP customers should review SAP Note 1451598 and 541344 before installing LDAP-UX. For customers transitioning to the newer version of LDAP SDK, LDAP SDK 5.17 is provided in /opt/ldapux/lib/legacy/5. Internal versions have been added to both SDKs to help prevent newly-built applications from using the wrong LDAP library.
2.2 Compatibility and installation requirements for LDAP-UX Client Services 11

2.2.1.2 Memory requirements.

This product has minimal supplementary memory and disk requirements. Beyond the memory requirements of the operating system and other active applications, your system should have at least 5 MB of additional main memory, and at least 40 megabytes of free disk space under /opt. If you enable longterm enumeration caching, disk space requirements will increase by the size of your current user and group user data.

2.2.1.3 Hardware requirements.

An HP 9000 (PA-RISC) or HP Integrity (IA64) computer system.

2.2.1.4 Operating system requirements.

HP-UX 11i v1, 11i v2 or 11i v3.

2.2.1.5 Patch requirement for offline credential cache support

For support of offline credential caching, the following patches must be installed before starting the LDAP-UX client daemon (ldapclientd); otherwise, offline credential caching will be disabled, even if it is configured in ldapclientd.conf: PHCO_37069 for HP-UX 11i v2 PHCO_39369 for HP-UX 11i v3

2.2.1.6 Patch requirement for AutoFS with LDAP support on HP-UX 1 1i v2

For HP-UX 11i v2, if AutoFS support is required then the patch listed in Table 2-1 is required. No patches are required for HP-UX 11i v2 without AutoFS support, or for v3. Use the following command to determine which patches are installed on your system: /usr/sbin/swlist -l product | grep PH | more See the swlist(1M) man page for more information. Patches can be obtained from the Patch Database at the HP IT Resource Center at http:// www.itrc.hp.com. If this patch is not available, contact your HP support representative for the latest version. A patch number can be superseded at any time. The patch number in the table was current as of June 1, 2010. Table 2-1 AutoFS Patch on HP-UX 1 1i v2
HP-UX Version Patch Number HP-UX 11i v2 PHNE_38904 Platform Workstation/Server Automatic Reboot? Description yes AutoFS cumulative patch.

2.2.1.6.1 HP-UX Enhanced Publickey-LDAP requirement Support for NIS publickey through LDAP requires functionality enhancement in LDAP-UX Client Services and an enhancement in the ONC product. ONC with publickey LDAP support is available through the HP-UX Enhanced Publickey-LDAP Software Pack (SPK) web release. To enable the publickey LDAP support, you must install the appropriate Enhanced Publickey-LDAP software bundle listed in Table 2-2 and LDAP-UX Client Services B.04.00 or later on your client systems. The software bundle contains all the required patches plus the enablement product for this new feature. For detailed information, see the ONC with Publickey LDAP Support Software Pack Release Notes at the following website: http://www.hp.com/go/hpux-networking-docs (click HP-UX 11i v2 Networking Software) Navigate to NFS Services.

12

LDAP-UX Client Services

Table 2-2 Enhanced Publickey-LDAP software requirement

Operating System Supported HP-UX 11i v2 Software Bundle Version Enhkey B.11.23.01 Release Date October, 2006

You can download the Enhanced Publickey-LDAP software bundle from the following Software Depot website: Go to http://www.hp.com/go/softwaredepot. Click on Enhancement releases and patch bundles. Select the link: HP-UX Software Pack (Optional HP-UX 11i v2 Core Enhancements) Select the link: PublicKey-LDAP (for HP-UX 11i v2) Select and download the following software bundle, place it to on your client system (/tmp): Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX 11i v2 Use swinstall to install the software bundle: swinstall -x autoreboot=true -x reinstall=false -s /tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.depot for HP-UX 11i v2

NOTE: If publickey support with LDAP is not required in your environment, installation of the Enhkey software bundle is not required. 2.2.1.6.2 Kerberos support on HP-UX 1 1i v2 or v3 In order to support integration with Windows Active Directory Server, the following version of the PAM-Kerberos product is required: C.01.25 or higher for HP-UX 11i v2 D.01.25 or higher for HP-UX 11i v3 If you wish to also use SASL/GSSAPI for proxied authentication, version 1.6.2.05 or later of the Kerberos Client product is required, which is a replacement for the KRB5-Client components of the core HP-UX OS. More specifically, HP-UX 11i v2 requires Kerberos v5 Client product D.1.6.2.05 or higher, and HP-UX 11i v3 requires Kerberos v5 Client product E.1.6.2.05 or higher. Please also note that the KRB5CLIENT product is a superior product to previous KRB5-Client patches (such as PHSS_36286). Although patch PHSS_36286 is required, and designed to install over the core Kerberos client patch, it will not overwrite the KRB5CLIENT product. Note that the autosetup program checks for the PAM-Kerberos product 1.25 or higher, and Kerberos v5 Client product 1.6.2.05 or higher. Both "PAM Kerberos" (J5849AA) and "Kerberos Client" (KRB5CLIENT) products can be downloaded from http://software.hp.com. They are available at: http:// software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849AA and http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT.

2.3 Installing and configuring the LDAP-UX Client Services

This section provides basic instructions for installing and configuring the LDAP-UX Client Services. For complete installation and configuration instructions, see the LDAP-UX Client Services Administrator's Guide or LDAP-UX Client Services with Microsoft Windows Active Directory Server Administrator's Guide.

2.3.1 Installing the LDAP-UX Client Services

Use the SD-UX facility for installation. See the swinstall(1M) man page for details.
2.3 Installing and configuring the LDAP-UX Client Services 13

1. 2. 3.

4.

Log in to your system as root. Run swinstall and install the LDAP-UX Client Services (LdapUxClient subproduct). It installs the product software in /opt/ldapux and /etc/opt/ldapux directories. If you require ONC publickey, ONC AutoFS, or integration with Active Directory Server, please see the above section for details about required product versions and how to obtain them. Install those products and/or patches for this step. Install required patches listed above, if they have not been installed yet.

NOTE: Starting with the LDAP-UX product version B.03.20 or later, system reboot is not required after installing the product. Although a reboot may be required depending on the patches that are installed at the same time as this product

2.3.2 Configuring the LDAP-UX Client

LDAP-UX B.05.00 introduces a new method for configuring LDAP-UX, known as guided installation. This mode greatly simplifies the LDAP-UX installation process, but also makes several configuration decisions for you. And if you do not already have a directory server in your environment, and have HP-UX Directory server installed, guided installation mode will create and configure a new directory server instance for you. If you already have a directory server running and you want to enable SSL or TLS support with LDAP-UX, you must configure the LDAP directory server to support SSL or TLS, and install the security databases (cert8.db and key3.db) on your client before you run the setup program. For SSL or TLS setup details, refer to LDAP-UX Client Services Administrators Guide or LDAP-UX Client Services with Microsoft Windows Active Directory Administrators Guide. If your browser does not generate cert8.db and key3.db security database files, you must export the certificate (preferably the root certificate of the Certificate Authority that signed the LDAP servers certificate) from your certificate server as a Base64-Encoded certificate and use the certutilutility to create the cert8.dband key3.db security database files. Follow the instructions in the Configuring the LDAP-UX client to use SSL or TLS section of the LDAP-UX Client Services B.05.00 Administrator's Guide to pre-install CA certificates in the /etc/opt/ldapux/ cert8.db and /etc/opt/ldapux/key3.db files. If you want to use LDAP-UX with Microsoft Windows Active Directory Server 2003 R2/2008 with RFC 2307, see Section 2.3.3 (page 15) before you run setup or migration. If your name service data (user, group, and so on) have been migrated to an LDAP directory, you can set up a client system as described below. If you have not migrated your name service data to an LDAP directory, refer to LDAP-UX Client Services B.05.00 Administrators Guide for complete migration details. The following shows basic instructions for configuring the LDAP-UX Client Services: 1. When your LDAP directory is configured and contains your name service data, you can run the setup program or autosetup program and follow the prompts to configure your client: If you want to use customized installation mode: cd /opt/ldapux/config ./setup NOTE: At the end of setup, you will be prompted to start/restart ldapclientd. You can choose not to start it right away. However, you must start the daemon, ldapclientd, for LDAP-UX functions to work. For details on running the setup program, see the LDAP-UX Client Services B.05.00 Administrators Guide. Continue to step 2. If you want to use guided installation mode:
14 LDAP-UX Client Services

cd /opt/ldapux/config ./autosetup After following the prompts, your installation will be complete. Thre is no need to continue to step 2. Instead continue to step 4. 2. Save a copy of /etc/pam.conf, and modify the original file to add libpam_ldap.so.1 on an HP-UX 11i v2 or v3 system where it is appropriate. If your system is in Standard Mode, see /etc/pam.ldap for an example. If your system is in the Trusted Mode, see /etc/ pam.ldap.trusted for an example. NOTE: If you use PAM Kerberos, you must configure PAM Kerberos. On the HP-UX 11i v2 or v3 system, you need to add libpam_krb5.so.1 to /etc/pam.conf where it is appropriate. If your system is in the Trusted Mode, see LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrators Guide for the detailed configuration. The Configuration Guides for Kerberos client products are available at http://www.hp.com/ go/hpux-security-docs (Click HP-UX Kerberos Data Security Software ). 3. 4. 5. Save a copy of /etc/nsswitch.conf file and modify the original to add ldap to support name services. See /etc/nsswitch.ldap for an example. Test your setup with a pwget (1) command and grget (1) command to ensure that the client is reading the name services information from the LDAP directory. If you use netgroup to control access to your hosts, you may wish to install and configure pam_authz. See the pam_authz (5) man page for more details. For more information on testing, troubleshooting, and shortcuts to configure additional clients, refer to LDAP-UX Client Services B.04.15 Administrators Guide.

2.3.3 Configuring for use with Microsoft Windows Active Directory Server
Windows 2003 R2/2008 Active Directory Server provides the ADS 2003 R2/2008s RFC2307 schema, which is compliant with the IETF RFC2307 standard.

2.3.4 Profile format changes

The profile format has been changed in the product version B.04.10. If you previously configured LDAP-UX B.04.00 or earlier version using the default profile /etc/opt/ldapux/ ldapux_profile.ldif, and now update the product to version B.04.10 or later, the product will automatically update /etc/opt/ldapux/ldapux_profile.bin to the new format. For the following cases, you must manually update the profile format by executing each PROGRAM line after you update the product to version B.04.10 or later successfully: If you previously configured LDA-UX B.04.00 or earlier version using the different profile other than /etc/opt/ldapux/ldapux_profile.ldif, and now update the product to version B.04.10 or later. If you previously configured LDAP-UX B.04.00 or earlier version to work with ADS multiple domains, and now update the product to version B.04.10 or later, you must manually execute each PROGRAM line for remote domains configured in /etc/opt/ldapux/ldapux_client.conf.

For example, if /etc/opt/ldapux/ldapux_client.conf contains the following entries:

Service: NSS PROFILE_ID="local" LDAP_HOSTPORT="192.10.10.10:389" PROFILE_ENTRY_DN="cn=ldapuxprof,CN=Configuration,DC=myorg,DC=mycom,DC=com" PROGRAM="/opt/ldapux/config/create_profile_cache"
PROFILE_ID="eng.myorg.mycom.com" LDAP_HOSTPORT="192.10.10.11:389" PROFILE_ENTRY_DN="cn=ldapuxprof,cn=configuration,dc=eng,dc=myorg,dc=mycom,dc=com" PROGRAM="/opt/ldapux/config/create_profile_cache \ 2.3 Installing and configuring the LDAP-UX Client Services 15

-i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com" PROFILE_ID="acct.myorg.mycom.com" LDAP_HOSTPORT="192.10.10.12:389" PROFILE_ENTRY_DN="cn=ldapuxprof,cn=configuration,dc=acct,dc=myorg,dc=mycom,dc=com" PROGRAM="/opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com \ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com"

After you update the product to version B.04.10 or later successfully, you have to execute PROGRAM from the command line as follows:
# /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com # /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com

Then you start or restart the client daemon, /opt/ldapux/bin/ldapclientd.

2.3.5 Removing the LDAP-UX Client Services

You can remove the LDAP-UX Client Services from your system using the SD-UX facility. See the swremove(1M) man page for details. 1. 2. 3. Log in to your system as root. Remove ldap references from /etc/nsswitch.conf and /etc/pam.conf. Run swremove to remove the LDAP-UX Client Services product. For example: On HP-UX 11i v2, run /usr/sbin/swremove J4269AA On HP-UX 11i v3, run /usr/sbin/swremove LDAPUX 4. 5. Remove the directories /etc/opt/ldapux and /opt/ldapux. Edit the /etc/pam.conf file and remove all lines containing "libpam_ldap.so.1". WARNING! If the LDAP-UX product is removed without completing Step 5 on HP-UX 11i v2 system, users will not be able to log onto the system. Follow the following steps to resolve this problem: 1. 2. 3. Reboot the system in the single-user mode. Execute the mountall command to mount the file system. Complete operations specified in Step 5 above.

2.4 Problems fixed in this release

The following problems have been fixed in this release: LDAP-UX could close file descriptors of a recently forked process. ldapugdel -O would remove description attribute ldapugdel -O would not remove msSFU attributes Hang in pam_authz if a the LDAP server went down during policy evaluation Setup would not handle a directory server that did not have a host name, if only specified using the IP address. Programs calling PAM functions would abort if the libpam_authz library was used and the pam_authz.policy ended with backslash The setup utility would report an error when attempting to discover installed schema on Tivoli Directory Server. ldap_proxy_config would not properly report that a proxy user credential was invalid if either the specified proxy user name or password was blank.

16

LDAP-UX Client Services

ldifdiff did not properly handle the "version:" directive at the beginning of an LDIF file. 64-bit applications compiled with mmap could not successfully use the name service APIs (getpwnam, and so on) nor the PAM APIs. ldapclientd did not properly update the mem_in_use statistic when a cache had been disabled. ldifdiff would not properly compare LDIF files if attribute names had differing case (upper/lower). ldapentry would report errors when attempting to connect to the directory server when SSL/TLS enabled.

2.4 Problems fixed in this release

17

2.5 Known problems and workarounds for LDAP-UX Client Services

This section describes all currently known problems with the LDAP-UX Client Services product. Proxy User Configuration Problem If you change the authentication method from SIMPLE (with or without SSL) to SASL DIGEST-MD5 (with or without SSL), or vice versa, the proxy user will become invalid if you dont update the proxy user during setup. Workaround The workaround is to remove the/etc/opt/ldapux/pcred file, then run the command /opt/ldapux/config/ldap_proxy_config -i to reconfigure it. Hosts Problem A single entry representing a host/computer in an LDAP directory can contain multiple IP addresses for each hostname record. The /etc/hosts file, however, requires a separate entry for each IP address. Workaround If the system has been configured with multiple IP addresses for the same hostname, then the migration script migrate_host.pl will create multiple entries in its resulting LDIF file with the same distinguished name for hostname for each of the IP address. Since distinguished name need to be unique in an LDAP directory, users need to first manually merge the IP addresses with one designated host record and delete the duplicate records in their LDIF file. A resulting entry might look like the following:
dn: cn=machineA, ou=devices, ou=hp.com objectClass: top objectClass: ipHost objectClass: device ]ipHostNumber: 15.13.130.72 ipHostNumber: 15.13.104.4 ipHostNumber: 15.13.95.92 cn: machineA cn: hpma01.cup.hp.com

Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. Secondary Group Problem If a users secondary group is specified by x.500-style group p syntax (such as member, uniquemember) and its DN contains the escape character \, LDAP-UX fails to return the group. As a result, the command id will not show the secondary group. Workaround To workaround this problem, do not use special characters in cn or uid when creating the user entry. Secondary Group Problem If the defaultSearchBase attribute in the LDAP-UX configuration profile is modified, it can cause LDAP-UX to stop functioning. ldapcfinfo will report the following error:
# ldapcfinfo -t passwd ERROR:
18 LDAP-UX Client Services

CFI_SEARCH_BASE_NOT_EXIST:

LDAP Error 32: Configured LDAP-UX search base does not exist.

This can occur if the serviceSearchBase uses a relative base DN, as is configured by autosetup, such as:
serviceSearchDescriptor: passwd:ou=People,

Workaround If you need to modify the defaultSearchBase, be sure to put the full base DN in the serviceSearchDescriptor attributes when modifying the LDAP-UX Configuration profile. Permissions with autosetup Problem If autosetup is used to configure LDAP-UX, it will modify the existing /etc/krb5.conf file or create a new one if needed. If a new /etc/krb5.conf file is created, it will be set with permissions of -rw-------. While these permissions will not prevent usage of Windows as an authentication module for login to basic HP-UX services, it could prevent usage of other Kerberized services once the user has logged in. Workaround To address this problem, change the permission of the /etc/krb5.conf file to -rw-r--r-after autosetup completes. For example: chmod go+r /etc/krb5.conf

2.6 Limitations in LDAP-UX Client Services

The following are limitations in this version of the LDAP-UX Client Services.

2.6.1 Services
When migrating Services data into the LDAP directory, users should keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports. For example: the following two lines of data can be stored into server.
chargen 19/tcp ttytst source chargen 19/udp ttytst source

However, because the port number is different, only one of the following entries can be stored in to an LDAP server: netdist 2101/tcp -ornetdist 2102/tcp

2.6.2 /etc/pam.conf
HP delivers two PAM example configuration files, /etc/pam.ldap and/etc/pam.ldap.trusted, in this release. You need to configure /etc/pam.conf properly for LDAP-UX to work as expected. When you integrate LDAP-UX Client Services with the HP-UX Directory Server and your system is in Standard Mode, the pam_unix library must be defined before pam_ldap as they are in the /etc/pam.ldap file. If your system is in the Trusted Mode, the pam_ldap library must be defined before pam_unix, and both libraries must be specified as "required" under "Session management". See Appendix C, Sample /etc/pam.ldap.trusted File, in the LDAP-UX Client Services Administrators Guide for details.

2.6.3 Maximum user name length of 8 characters on a Trusted Mode system

A user logins to a Trusted Mode system on an HP-UX 11i v2 or v3 machine, HP-UX supports the maximum user length of eight characters.
2.6 Limitations in LDAP-UX Client Services 19

2.6.4 Long user and group name support

LDAP-UX supports long user and group name of up to 255 characters on an HP-UX 11i v3 system when you explicitly enable the system for expanded user and group name feature by using the lugadmin -e command. Refer to the lugadmin man page for details. On HP-UX 11i v2, the maximum length of the user or group name can be only eight characters.

2.6.5 LDAP directory interoperability

The LDAP-UX product has been certified under the OpenGroups works with LDAP 2000 branding. LDAP-UX has been designed to work with any directory server that can support the RFC 2307 schema or similar syntactic schema (such as the Microsoft Services For Unix 3.5 schema). The LDAP-UX product requires the "Configuration Profile" schema, which is defined by RFC 4876, available at http://www.rfc-editor.org. at the IETF drafts web site http://www.ietf.org/ ID.htmlhttp://www.ietf.org/ID.html. The "Configuration Profile" schema will be automatically installed on directory servers that support online modification of the subschema subentry. The following list of directories have been tested or minimally verified. HP-UX Directory Server for HP-UX 8.1 - Fully tested and supported Red Hat Directory Server 8.0 for HP-UX - Verified and supported Microsoft Windows 2003 R2/2008 Active Directory - Fully tested and supported OpenLDAP 2.1.13a - Verified with limited support Manual schema installation required Novell eDirectory 8.7 and 8.8 - Minimally verified with limited support Manual schema installation required Password modification via the passwd(1) command not yet supported. IBM IDS 6.2 - Verified and supported Manual schema installation required Oracle Internet Directory 9.04 - Minimally verified Required to index all attributes Bypass setup with ldapmodify to manually load the profile schema Computer Associates eTrust 4.0 - Minimally verified Manual schema installation required Sun SunOne 6.3 - Minimally verified

If you have another directory, you may be able to use that directory if it meets the following requirement: Supports version 3 of the LDAP specification as defined by IETF RFCs 2251 through 2256 Supports the Posix name service schema (RFC 2307) or a similar schema The schema can be extended to include the DUAConfigProfile object classes and required attributes (see above) For security, the directory should support an access control mechanism that can restrict modification rights of entries and attributes to specific users For security, the directory should support at least ldap_simple_bind authentication

2.6.6 Supported name service databases

LDAP-UX Client Services using HP-UX Directory Server supports the following name services data:
20

passwd

LDAP-UX Client Services

group netgroup automount publickey services rpc hosts networks protocols user-defined maps

LDAP-UX Client Services using Windows 2003 R2/2008Active Directory Server currently supports passwd, group, hosts, protocols, automount, networks, rpc, and services in a single domain, and supports only passwd and group in multiple domains. It does not support netgroup and publickey service data. The LDAP-UX Client Services daemon, /opt/ldapux/bin/ldapclientd, caches only passwd, group, netgroup, automount service data.

2.6.7 Duplicated data entries in ADS multiple domains

To better integrate with HP-UX, it is highly recommended that you maintain unique user names and uid numbers in the forest, or undesired behaviors may occur. For example: If an ADS Global Catalog server is configured to retrieve data from remote domains, LDAP-UX wont return data if there are duplicate entries in any remote domains For users having the same user name in multiple domains, LDAP-UX may return user data from a different domain if the original domain controller fails A user may not be able to change their password if his/her uid number is not unique in the forest

2.6.8 Limitations of printer configurator

The new LDAP printer schema based on /etc/opt/ldapux/schema/RFC3712.xml is imported into the HP-UX Directory Server to create the printer objects. The LDAP-UX Client Services only supports the HP LP spooler system, network printers, and printer servers that support the Line Printer Daemon (LPD) protocol. The printer configurator does not support local printers. In a global management environment, it is hard to determine a default printer for the individual client system. The LDAP printer configurator treats every printer entry as the regular printer. The administrator or user is required to manually select a printer as a default printer for the client system.

2.6.9 Unsupported commands

The following HP-UX commands currently do not work with LDAP-UX Client Services: Table 2-3 Unsupported HP-UX Commands
chfn(1) chsh(1) sam(1M) Does not change the finger information for users in the directory. See the finger(1) man page. Does not change the login shell for users in the directory. The System Administration Manager (SAM) does not manage name service information in the directory. However, the System Management Homepage, smh(1M), provides similar capabilities in HP-UX 11i v3 with full and integrated support for LDAP.

2.6 Limitations in LDAP-UX Client Services

21

Table 2-3 Unsupported HP-UX Commands (continued)

useradd(1M), userdel(1M), usermod(1M) groupadd(1M), groupdel(1M), groupmod(1M) These commands do not manage user information in the directory. However, similar commands, ldapugadd, ldapugdel, and ldapugmod support LDAP user and group operations with similar parameters. These commands do not manage group information in the directory. However, similar commands, ldapugadd, ldapugdel, and ldapugmod support LDAP user and group operations with similar parameters.

Additional tools are available to perform management in the LDAP directory and include: ldaphostmgr, ldaphostlist, ldapmodify, ldapsearch, ldapdelete, and ldapentry.

2.6.10 Clear text passwords

login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over the network unless SSL, TLS, or SASL Digest-MD5 authentication is enabled with setup. To support SASL/DIGEST-MD5, some directory server products (including HP-UX Directory Server) store the password in clear text. By default, when using customized install mode, SSL and SASL/DIGEST-MD5 authentication is disabled. Using SSL or TLS (a default when using guided installation mode) allows passwords to be stored in any format on the directory server (including the Salted Secure Hash Algorithm, SSHA), and also protects password transmission over the network.

2.6.1 1 Man page for ldapclientd.conf

Limitations in the man command require specifying the section number as man 4 ldapclientd.conf to view the man page for ldapclientd.conf. If the section number 4 is not specified, the ldapclientd man page will appear instead.

2.6.12 LDAP security policy enforcement

With LDAP directory servers that support security policies (such as account or password expiration), it is possible for HP-UX logins to adhere to these polices.The design of the LDAP protocol enforces both authentication and security polices in the same operation (ldap_bind). The design of the PAM subsystem separates authentication and security policy enforcement into two separate APIs, as configured under the "auth" and "account" portions of the /etc/pam.conf file. Because of these design differences, administrators need to be aware that its not possible to use libpam_ldap for either just authentication or just security policy enforcement. For example, it is not possible to use ssh publickeys for authentication, and then use libpam_ldap for account policy enforcement, since libpam_ldap does not have a password with which it can use to bind to the directory server. The same is true if Kerberos is used for authentication; libpam_ldap cannot be used for security policy enforcement alone. Starting LDAP-UX release 4.1, PAM_AUTHZ independently supports LDAP account and password security policy enforcement without requiring LDAP-based authentication. This feature supports applications, SSH (Secure Shell) or r-commands with .rhost enabled where authentication is performed by the command itself.

2.6.13 SASL/GSSAPI profile download support

The current release of LDAP-UX does not support downloading of the LDAP-UX profile automatically, when used with SASL/GSSAPI authentication, and that authentication uses a host or service principal, where that principals key is stored in a Kerberos keytab file.This limitation impacts the ability of the LDAP-UX product to support the "profile time to live" feature, which automatically will re-download a profile after its profileTTL time period has expired.

22

LDAP-UX Client Services

In this situation, profiles can still be downloaded manually using the get_profile_entry command, as long as a principal and password provided on the command line.The following command shows an example of how to download the profile manually. If your profile changes frequently, you may wish to place this in a script that is called periodically by cron: /opt/ldapux/config/get_profile_entry -s NSS -D \ "<administrator@my.domain.org>" -w "<adminpassword>"

2.6.14 Changing authentication methods

If you wish to switch from your current authentication method, such as SIMPLE or SASL/DIGEST-MD5 to SASL/GSSAPI, TLS:SIMPLE or TLS:SASL/DIGEST-MD5, you must restart the ldapclientd daemon after making the configuration changes. This step is required to assure that the proper GSS API, Kereros and/or SSL initialization is completed.

2.6.15 Supported features for particular directory servers

The following shows the supported features for particular directory servers:
Feature HP-UX Directory Microsoft ADS ------------------------------------------------------------passwd name service Supported Supported group name service Supported Supported netgroup name service Supported Not Supported hosts name service Supported Supported networks name service Supported Supported protocols name service Supported Supported rpc name service Supported Supported automount name service Supported Not Supported aliases name service Not Supported[1] Not Supported services name service Supported Supported publickey name service Supported Not Supported printer configurator Supported Not Supported[2] pam_authz Supported Supported[3] X.500-style group syntax Supported Supported pam_ldap Supported Not Supported[4] Trusted Mode Security[5] Supported Supported Standard Mode Security Supported Supported LDAP Command-line Utils. Supported Supported ldapentry editor tool Supported Supporte NIS Migration Tools Supported Supported NIS+ Migration Tools Supported Supported Multiple Domains Not Supported Supported NIS/LDAP Gateway Supported Not Supported Authentication Methods Simple Password NSS[6] & PAM[7] NSS Only SASL/DIGEST-MD5 NSS & PAM NSS Only SASL/GSSAPI Not Supported NSS Only SSL Server Certs. NSS & PAM NSS Only SSL Client Certs. Not Supported Not Supported Caching passwd Supported Supported group Supported Supported netgroup Supported Not Supported X.500-style groupSupported Supported membership

NOTE: 1. 2. Equivalent feature available directly in sendmail. The setup program does not support configuration of ADS-based printers. If the printer entry in ADS contains a "printer-uri" type attribute (see RFC3712) the configuration profile can be modified to change the attribute mapping forprinter-name and printer-uri to match that of printer descriptions in ADS. However this feature is not officially supported.
2.6 Limitations in LDAP-UX Client Services 23

3. 4. 5.

6. 7.

netgroups may not be stored in ADS. pam_kerberos has been integrated with LDAP to fully support Windows domain authentication and should be used instead of pam_ldap. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities stored in the local host are controlled by the local security policy. Identities stored in an LDAP directory are controlled by the LDAP security policy. NSS refers to the Name Service Subsystem, such as passwd, group, etc... For more information, refer to the nsswitch.conf(4) man page. PAM refers to the Pluggable Authentication Module subsystem. For more information, refer to the pam(3) man page.

2.6.16 Additional limitations with Active Directory

ldapentry Not Certified for Active Directory ldapentry, a new client administration tool to simplify adding, modifying, and deleting database entries is not certified for use with Active Directory. Limited Name Service Database Support for multiple Domains LDAP-UX Client Services, using Windows 2003 R2/2008Active Directory Server with multiple Domains, currently only supports the passwd and group name services. Posix Password Support Posix password (defined as userPassword in RFC 2307, and msSFUPassword in SFU 2.0) is not certified. User and Group Migration sAMAccountName must be unique across the entire domain. This attribute, used for pre-Windows 2000 clients, is set by the migration scripts to the value of the common name (CN). For example, if a new group in a different section of the dictionary is created to contain all UNIX users and the common name (CN) of this group is a duplicate of an existing name, the migration will fail because the sAMAccountName attribute is not unique. You can work around this limitation by modifying the LDIF file to use a unique value for sAMAccountName. Support of Referrals with Active Directory Referrals with Active Directory are currently not certified. Changing the Password for a Disabled User When a user whose account is stored in ADS is disabled by setting the disable_uid_range flag in the /etc/opt/ldapux_client.conf file on an HP-UX client system, and PAM_Kerberos is used as the authenticating method, the passwd command will allow you to change the password for the disabled user, since LDAP does not control this subsystem.

24

LDAP-UX Client Services

3 NIS/LDAP Gateway
This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory). Because the NIS/LDAP Gateway software emulates a ypserv, your NIS clients can start using an LDAP directory without modification. However, with this software you cannot modify your LDAP account information from an NIS client (that is, you cannot use chfn(1), chsh(1) or passwd(1) to change your account information). To achieve this, install the LDAP Client Administration Tools (NisLdapClient subproduct) on some or all of your NIS clients.

3.1 Compatibility and installation requirements for NIS/LDAP Gateway

This section provides basic instructions for installing the NIS/LDAP Gateway. For complete installation and configuration instructions, refer to NIS/LDAP Gateway Administrators Guide.

3.1.1 Hardware requirements

An HP 9000 or HP ia64 computer system.

3.1.1.1 Memory requirements

This product has minimal memory and disk requirements. Your system should have at least 32 MB of main memory, and at least five megabytes of free disk space under /opt. Depending on the size of your NIS maps and if you wish to cache that data in the NIS/LDAP Gateway server, you will need additional physical main memory, approximately two to three times the total size of your existing NIS maps.

3.1.2 Operating system requirement

HP-UX 11i v2 and v3 on HP IA64.

3.1.3 Patch requirements

The NIS/LDAP Gateway software has no specific patch requirements.

3.1.4 Preparing for installation

Verify you have at least five megabytes of free disk space under /opt.

3.1.5 Installing the NIS/LDAP Gateway

Use the SD-UX facility for installation. See the swinstall(1M) man page for details. 1. 2. 3. Log in to your system as root. If a ypldapd server is already running on your system, terminate it with the kill(1) command. Run swinstall and install the NisLdapServer product. This installs the product software int he /opt/ldapux directory. No reboot is required.

3.1.6 Configuration quick start

If your NIS maps have been migrated to an LDAP directory, you can set up a ypldapd server with only a few steps. If you have not migrated your NIS maps to the LDAP directory, see Installing and Administering NIS/LDAP Gateway.
3.1 Compatibility and installation requirements for NIS/LDAP Gateway 25

If you have already configured other NIS/LDAP Gateway servers on other systems, you can simply duplicate the configuration file /opt/ldapux/ypldapd/etc/ypldapd.conf on the local system. Otherwise, edit the file /opt/ldapux/ypldapd/etc/ypldapd.conf and add the appropriate values according to the descriptions in the file. Minimally you will need to update the ypdomain, ldaphost, basedn, binddn and bindcred parameters. If you have a large LDAP database and you are using 11i v2 or v3 NIS clients, you should set preload_maps to preload_maps group.bynam. The user you identify in the binddn must be an LDAP directory user that is allowed to read the userPassword attribute. If the NIS domain you use is the same as the domain being used by an existing NIS server, you must stop and disable the NIS server. You can do this by executing the command /sbin/init.d/nis.server stop to stop the NIS server. Then change NIS_SLAVE_SERVER and NIS_MASTER_SERVER to 0 in the file /etc/rc.config.d/namesvrs.

Once your NIS/Gateway server is running, you can test your setup with a ypcat(1) command, such as ypcat group. You may need to wait (up to a minute) as the ypbind(1M) process attempts to find the new NIS/LDAP Gateway server. To avoid this wait, you can stop and restart the client as follows before issuing the ypcat command:
/sbin/init.d/nis.client stop /sbin/init.d/nis.client start

3.2 Installing and configuring LDAP Client administration tools

This section provides basic instructions for installing the LDAP Client Administration Tools. For complete installation and configuration instructions, see NIS/LDAP Gateway Administrators Guide.

3.2.1 Configuration quick start

This product does not require any specific configuration. However, once you have installed the product, read the file /opt/ldapux/bin/README-ADMIN for instructions on how to simplify LDAP directory administration from your LDAP-UX or NIS/LDAP Gateway clients. You may also wish to create a front-end script to the ldappasswd command, to hide the LDAP directory from the average HP-UX user. Below are two examples you can cut and paste into a passwd shell script and then modify for your environment:
#!/usr/bin/ksh /opt/ldapux/bin/ldappasswd -b "your_base_DN" -h "ldap_server_host_name" \ -p "ldap_port" #!/usr/bin/ksh /opt/ldapux/bin/ldappasswd -b "ou=people,o=hp.com" \ -h "dirserver.lab.hp.com" -p 389

3.3 Known problems and workarounds

Known Problem If the NIS Client is on same box as ypldapd, it can bind to wrong server. Workaround If you want NIS Clients to bind with specific ypldapd or NIS Server, configure your clients box as follows: Specify "YPSET_ADDR=machines name" in the etc/rc.config.d/namesrvs file.

26

NIS/LDAP Gateway

3.4 Limitations in NIS/LDAP Gateway

The following are limitations in this version of the NIS/LDAP Gateway. Crypt Passwords The NIS/LDAP Gateway product requires that user passwords be stored in the directory server in the same format as stored in an /etc/passwd file. This is known as Unix Crypt format. If your directory server does not understand the {crypt} data type, you can still use the NIS/LDAP Gateway server. However, these users will not be able to authenticate to the directory server. One side effect is that users will not be able to change their own passwords (although a directory administrator could accomplish this on a users behalf.) Also, other LDAP enabled applications may not work correctly. Modifying Data in the Directory You cannot use the chfn(1) and chsh(1) and passwd(1) commands to modify data in the directory. NIS and NIS/LDAP Gateway You cannot run an NIS server (ypserv) and an NIS/LDAP Gateway server (ypldapd) simultaneously on the same system. Shadow Passwords Not Supported You must set the hide_passwords parameter to no in the ypldapd.conf file because shadow passwords are not supported. See Installing and Administering NIS/LDAP Gateway for details. Use Preloaded Maps instead of ypall_caching You should use the preload_maps parameter to preload maps into the cache instead of ypall_caching. Use of ypall_caching can cause a performance bottleneck in the ypldapd server. For more information, see Caching in Installing and Administering NIS/LDAP Gateway.

3.4 Limitations in NIS/LDAP Gateway

27

28

4 Support and other resources

4.1 Contacting HP
HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. To make comments and suggestions about product documentation, send a message to: http://www.hp.com/bizsupport/feedback/ww/webfeedback.html Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents. NOTE: HP cannot provide product support through this email address. To obtain product support, contact your HP Support Representative, your HP Services Representative, or your authorized HP reseller. For more information about support services, see the support website: http://www.hp.com/go/support For other ways to contact HP, see the Contact HP website: http://welcome.hp.com/country/us/en/contact_us.html

4.1 Contacting HP

29

4.2 Documentation
The documentation below is available on the HP-UX Documentation web site at http:// www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software) or where indicated. Table 4-1 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway
Title LDAP-UX Client Services B.05.00 Administrators Guides Description How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90086)

LDAP-UX Client Services B.05.00 with How to install, configure, administer, tune, and troubleshoot the LDAP-UX Microsoft Windows Active Directory Server Client Services with Windows Active Directory Server. (part number Administrators Guide J4269-90087) LDAP-UX Integration Product B.05.00 Release Notes (this document) Describes the latest changes, and known problems in the LDAP-UX Client Services. (part number J4269-90088)

NIS/LDAP Gateway Administrators Guide How to install, configure, administer, tune and troubleshoot the NIS/LDAP Gateway. (part number J4269-90028) README files (/opt/ldapux/README-LdapUxClient) briefly describes the installation, late changes, and known problems in LDAP-UX Client Services (/opt/ldapux/README-NisLdap) briefly describes the NIS/LDAP Gateway (/opt/ldapux//bin/README-ADMIN) briefly describes the instructions on how to simplify LDAP directory administration from LDAP-UX clients

4.2.1 Related documentation

HP-UX Directory Server and Red Hat Directory Server for HP-UX Administrators Guides and other titles available at: http://www.hp.com/go/hpux-security-docs Various white papers related to LDAP-UX are available at: http://www.hp.com/go/ hpux-security-docs (Click HP-UX LDAP-UX Integration Software) Preparing your LDAP Directory for HP-UX Integration White Paper available at: http:// www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software) Integrating HP-UX Account Management and Authentication with LDAP White Paper available at: http://www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software) Manual pages using the man(1) command ypldapd(8), ypserv(1M), ypfiles(4) and other related NIS man pages RFC 2307 describing the schema for Posix naming information is available at: http://www.ietf.org/rfc/rfc2307.txt NFS Services Administrators Guide discusses NIS, available at: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c02153184/c02153184.pdf

For more information about LDAP-UX Integration and related products and solutions, visit the following HP website: http://h71028.www7.hp.com/enterprise/us/en/os/hpux11i-security-components.html

4.3 Typographic conventions

This document uses the following typographical conventions: Book Title http:// www.hp.com Emphasis
30 Support and other resources

Title of a book or other document. A website address that is a hyperlink to the site. Text that is emphasized.

Bold Command user input computer output variable value [] {} |

Text that is strongly emphasized. The defined use of an important word or phrase. Command name or qualified command phrase. Commands and other text that you type. Text displayed by the computer. Name of a daemon, parameter, or parameter option. The name of an environment variable, for example PATH or errno. A value that you may replace in a command or function, or information in a display that represents several possible values. The contents are optional in formats and command descriptions. The contents are required in formats and command descriptions. Separates items in a list of choices. In the following example, you must specify either item-a or item-b: {item-a | item-b} The continuous line symbol. HP-UX manpage. In this example, find is the manpage name and 1 is the manpage section. The name of a keyboard key. Note that Return and Enter both refer to the same key. A sequence such as Ctrl+A indicates that you must hold down the key labeled Ctrl while pressing the A key.

\ find(1) Enter

4.3 Typographic conventions

31