Beruflich Dokumente
Kultur Dokumente
00 Release Notes
HP-UX 1 1i v2 and v3
Copyright 2010 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP CIFS Server is derived from the Open Source Samba product and is subject to the GPL license. Trademark Acknowledgements of Microsoft Corporation. UNIX is a registered trademark of The Open Group. Microsoft and Windows are U.S. registered trademarks
Table of Contents
1 LDAP-UX integration overview.......................................................................................7
1.1 LDAP-UX Client Services overview..................................................................................................7 1.2 NIS/LDAP Gateway overview..........................................................................................................7 1.3 LDAP Client Administration Tools overview...................................................................................8
3.1.4 Preparing for installation........................................................................................................25 3.1.5 Installing the NIS/LDAP Gateway..........................................................................................25 3.1.6 Configuration quick start........................................................................................................25 3.2 Installing and configuring LDAP Client administration tools.......................................................26 3.2.1 Configuration quick start........................................................................................................26 3.3 Known problems and workarounds...............................................................................................26 3.4 Limitations in NIS/LDAP Gateway.................................................................................................27
Table of Contents
List of Tables
2-1 2-2 2-3 4-1 AutoFS Patch on HP-UX 11i v2.....................................................................................................12 Enhanced Publickey-LDAP software requirement.......................................................................13 Unsupported HP-UX Commands.................................................................................................21 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway.....................................30
The LDAP-UX Integration product does not include an LDAP directory server. You can obtain the HP-UX Directory Server and Red Hat Directory Server for HP-UX from http:// www.hp.com/go/softwaredepot or from your local HP sales office. This release notes contains information about LDAP-UX Client Services and NIS/LDAP Gateway subproducts. The LDAP-UX Client Services section of this document includes the following information: Whats New in LDAP-UX Client Services B.05.00 Compatibility and Installation Requirements for LDAP-UX Client Services Documentation Known Problems and Workarounds Limitations in LDAP-UX Client Services Compatibility and Installation Requirements for NIS/LDAP Gateway Known Problems and Workarounds Limitations in NIS/LDAP Gateway
The NIS/LDAP Gateway section of this document includes the following information:
NIS client to use an LDAP directory as its repository for NIS maps. This product provides an NIS to LDAP Gateway which converts NIS rpc requests into LDAP operations. In this release of NIS/LDAP Gateway, there are no new or changed features. For detailed information on known problems fixed in this release of NIS/LDAP Gateway, as well as compatibility and installation requirements and limitations in NIS/LDAP Gateway, see NIS/LDAP Gateway (page 25).
Because the NIS/LDAP Gateway software emulates an NIS server, your NIS clients can start using an LDAP directory server without installing this sub-component. However you may want to install the LDAP Client Administration Tools on your NIS clients to allow your users to modify their directory data, such as changing their password.
Offline Credential Caching LDAP-UX can use locally cached user, group, and authentication credentials when contact with the directory server is lost, providing high availability for the OS and its applications. For patch requirements, see Section 2.2.1.5 (page 12)
IPv6 support LDAP-UX OS integration and management tools can now connect to directory servers through IPv6 addressing.
compat mode performance enhancement For organizations that rely on the legacy netgroup /etc/passwd filtering, the compat mode performance enhancement significantly improves performance when numerous and large netgroups are used in the /etc/passwd file for controlling passwd fields.
Local-only profile support The centrally managed LDAP-UX configuration profile uses a schema defined by RFC 4876. For environments where modification of the directory server schema is not allowed and new schema cannot be installed, the local-only profile allows LDAP-UX to manage configuration on the local hosts instead of the directory server. You need to use the -l option with the customized setup program to obtain this feature.
User Group Management Tools Enhancements The user and group management tools are enhanced to provide the following: The DN of the current user as a default when prompting for a DN before binding to the directory server. The ability to change or reset a user's ADS password if SSL has been configured. This includes the ability of an administrator to reset a user's password.
pam_authz Enhancements The following pam_authz is enhancements have been made: pam_authz now allows granular access control policies to be applied to individual PAM services (such as ftp, telnet, ssh, imapd, and so forth). Different policies can be applied to each service. pam_authz now supports a new action for rules. In addition to allow or deny, the required rule means that rule must pass and remaining rules must also be processed. Previously, pam_authz supported two modes, the netgroup mode, where netgroups were specified in the /etc/passwd file, or the pam_authz.policy mode, where rules were defined in the pam_authz.policy file. Those two modes were mutually exclusive. A new condition rule in the pam_authz.policy file now allows both modes.
LDAP Host management tools LDAP-UX Integration B.05.00 supports two new LDAP command-line tools, ldaphostmgr and ldaphostlist, that allow you to manage information about hosts in the directory server, including ssh public keys. Using HP Secure Shell version 5.5 or higher, LDAP-UX ssh key management can pre-establish trust between hosts. ldaphostmgr Use the ldaphostmgr tool to add, modify, or delete information about hosts (OS instances) that are part of the organization. The ldaphostmgr tool uses the existing ldapux(5) configuration, requiring only a minimal number of command-line options to discover where to search for host information, such as what directory server(s) to contact and proper search filters for finding hosts. It also uses the existing ldapux(5) authentication configuration to determine how to bind to the LDAP directory server. ldaphostmgr can be used to centrally manage ssh public keys for hosts, and supports attribute-mapping for attributes defined by the ipHost objectclass. Additional attributes used in a host entry (such as owner, entityRole, and so on) are not mapped. ldaphostlist Use the ldaphostlist tool to display and enumerate host entries that reside in an LDAP-based directory server. Although ldaphostlist provides output similar to the ldapsearch command, it satisfies a few specific feature requirements that allow applications to discover and evaluate hosts stored in an LDAP directory server without requiring intimate knowledge of the methods used to retrieve and evaluate that information in the LDAP directory server. In addition, ldaphostlist can be used to discover expiration information about ssh host keys if that information is managed in the directory server. For detailed information about tool usage, syntax, options, environment variables and return codes supported by these tools, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide or man pages, ldaphostmgr(1M) and ldaphostlist(1M).
The ignore option for PAM_LDAP support If PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a typical configuration in the Trusted Mode Environment), then when you lose access to your directory server, you will have trouble accessing the system unless a set of so-called recovery users is configured in the /etc/pam_user.conf file. This release supports the ignore
10
option for PAM_LDAP, which enables PAM_LDAP to be completely disregarded for specific local users. To enable this feature, you must set the ignore option for PAM_LDAP in the pam_user.conf file for per-user configuration. When you use this option for PAM_LDAP, PAM returns PAM_IGNORE. For detailed information on how to configure and use this feature, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide. proxy_is_restricted and allowed_attribute flags added to configuration file The proxy_is_restricted and allowed_attribute flags are added to the [general] section of the configuration file, ldapclientd.conf: proxy_is_restricted=yes|no If the proxy user is configured in the LDAP-UX profile and defined in /etc/opt/ldapux/pcred, this flag attests that the proxy user does not hold privileged LDAP credentials, meaning the proxy user is restricted in its rights to access "private" information in the directory server. allowed_attribute=service:attribute Some applications, like /opt/ssh/bin/ssh, use ldapclientd to access information in the directory server, such as the sshPublicKey for users and hosts. By setting allowed_attribute, applications can access any defined attribute even if the proxy_is_restricted value is set to no(the default). These configuration parameters are required to help the ldaphostlist and ldapuglist tools determine if it is OK for them to display arbitrary attributes. If you used autosetup to configure LDAP-UX, these values are automatically set. If you have an existing installation or use the custom install setup program, and are also using a proxy user, you should update these values. NOTE: Version 6.0.5 of the Mozilla LDAP SDK includes changes to improve compliance with the LDAP C API specification defined by the IETF document draft-ietf-ldapext-ldap-c-api-05.txt. While the majority of these changes are maintained within the SDK itself, or opaque to the applications, certain applications might be impacted and require recompiling. For more information, see Section 2.2.1.1 (page 11)
2.2.1.6.1 HP-UX Enhanced Publickey-LDAP requirement Support for NIS publickey through LDAP requires functionality enhancement in LDAP-UX Client Services and an enhancement in the ONC product. ONC with publickey LDAP support is available through the HP-UX Enhanced Publickey-LDAP Software Pack (SPK) web release. To enable the publickey LDAP support, you must install the appropriate Enhanced Publickey-LDAP software bundle listed in Table 2-2 and LDAP-UX Client Services B.04.00 or later on your client systems. The software bundle contains all the required patches plus the enablement product for this new feature. For detailed information, see the ONC with Publickey LDAP Support Software Pack Release Notes at the following website: http://www.hp.com/go/hpux-networking-docs (click HP-UX 11i v2 Networking Software) Navigate to NFS Services.
12
You can download the Enhanced Publickey-LDAP software bundle from the following Software Depot website: Go to http://www.hp.com/go/softwaredepot. Click on Enhancement releases and patch bundles. Select the link: HP-UX Software Pack (Optional HP-UX 11i v2 Core Enhancements) Select the link: PublicKey-LDAP (for HP-UX 11i v2) Select and download the following software bundle, place it to on your client system (/tmp): Enhkey B.11.23.01 HP-UX B.11.23 IA+PA depot for HP-UX 11i v2 Use swinstall to install the software bundle: swinstall -x autoreboot=true -x reinstall=false -s /tmp/ENHKEY_B.11.23.01_HP-UX_B.11.23_IA_PA.depot for HP-UX 11i v2
NOTE: If publickey support with LDAP is not required in your environment, installation of the Enhkey software bundle is not required. 2.2.1.6.2 Kerberos support on HP-UX 1 1i v2 or v3 In order to support integration with Windows Active Directory Server, the following version of the PAM-Kerberos product is required: C.01.25 or higher for HP-UX 11i v2 D.01.25 or higher for HP-UX 11i v3 If you wish to also use SASL/GSSAPI for proxied authentication, version 1.6.2.05 or later of the Kerberos Client product is required, which is a replacement for the KRB5-Client components of the core HP-UX OS. More specifically, HP-UX 11i v2 requires Kerberos v5 Client product D.1.6.2.05 or higher, and HP-UX 11i v3 requires Kerberos v5 Client product E.1.6.2.05 or higher. Please also note that the KRB5CLIENT product is a superior product to previous KRB5-Client patches (such as PHSS_36286). Although patch PHSS_36286 is required, and designed to install over the core Kerberos client patch, it will not overwrite the KRB5CLIENT product. Note that the autosetup program checks for the PAM-Kerberos product 1.25 or higher, and Kerberos v5 Client product 1.6.2.05 or higher. Both "PAM Kerberos" (J5849AA) and "Kerberos Client" (KRB5CLIENT) products can be downloaded from http://software.hp.com. They are available at: http:// software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5849AA and http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=KRB5CLIENT.
1. 2. 3.
4.
Log in to your system as root. Run swinstall and install the LDAP-UX Client Services (LdapUxClient subproduct). It installs the product software in /opt/ldapux and /etc/opt/ldapux directories. If you require ONC publickey, ONC AutoFS, or integration with Active Directory Server, please see the above section for details about required product versions and how to obtain them. Install those products and/or patches for this step. Install required patches listed above, if they have not been installed yet.
NOTE: Starting with the LDAP-UX product version B.03.20 or later, system reboot is not required after installing the product. Although a reboot may be required depending on the patches that are installed at the same time as this product
cd /opt/ldapux/config ./autosetup After following the prompts, your installation will be complete. Thre is no need to continue to step 2. Instead continue to step 4. 2. Save a copy of /etc/pam.conf, and modify the original file to add libpam_ldap.so.1 on an HP-UX 11i v2 or v3 system where it is appropriate. If your system is in Standard Mode, see /etc/pam.ldap for an example. If your system is in the Trusted Mode, see /etc/ pam.ldap.trusted for an example. NOTE: If you use PAM Kerberos, you must configure PAM Kerberos. On the HP-UX 11i v2 or v3 system, you need to add libpam_krb5.so.1 to /etc/pam.conf where it is appropriate. If your system is in the Trusted Mode, see LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrators Guide for the detailed configuration. The Configuration Guides for Kerberos client products are available at http://www.hp.com/ go/hpux-security-docs (Click HP-UX Kerberos Data Security Software ). 3. 4. 5. Save a copy of /etc/nsswitch.conf file and modify the original to add ldap to support name services. See /etc/nsswitch.ldap for an example. Test your setup with a pwget (1) command and grget (1) command to ensure that the client is reading the name services information from the LDAP directory. If you use netgroup to control access to your hosts, you may wish to install and configure pam_authz. See the pam_authz (5) man page for more details. For more information on testing, troubleshooting, and shortcuts to configure additional clients, refer to LDAP-UX Client Services B.04.15 Administrators Guide.
2.3.3 Configuring for use with Microsoft Windows Active Directory Server
Windows 2003 R2/2008 Active Directory Server provides the ADS 2003 R2/2008s RFC2307 schema, which is compliant with the IETF RFC2307 standard.
After you update the product to version B.04.10 or later successfully, you have to execute PROGRAM from the command line as follows:
# /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.eng.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.eng.myorg.mycom.com # /opt/ldapux/config/create_profile_cache \ -i /etc/opt/ldapux/domain_profiles/ldapux_profile.ldif.acct.myorig.mycom.com\ -o /etc/opt/ldapux/domain_profiles/ldapux_profile.bin.acct.myorg.mycom.com
16
ldifdiff did not properly handle the "version:" directive at the beginning of an LDIF file. 64-bit applications compiled with mmap could not successfully use the name service APIs (getpwnam, and so on) nor the PAM APIs. ldapclientd did not properly update the mem_in_use statistic when a cache had been disabled. ldifdiff would not properly compare LDIF files if attribute names had differing case (upper/lower). ldapentry would report errors when attempting to connect to the directory server when SSL/TLS enabled.
17
Also, because LDAP server hosts are sometimes stored using the host name in LDAP referrals, all the LDAP server host information for your network must be stored in the /etc/hosts file if you use referrals, and wish to use LDAP-UX for resolving host names. Secondary Group Problem If a users secondary group is specified by x.500-style group p syntax (such as member, uniquemember) and its DN contains the escape character \, LDAP-UX fails to return the group. As a result, the command id will not show the secondary group. Workaround To workaround this problem, do not use special characters in cn or uid when creating the user entry. Secondary Group Problem If the defaultSearchBase attribute in the LDAP-UX configuration profile is modified, it can cause LDAP-UX to stop functioning. ldapcfinfo will report the following error:
# ldapcfinfo -t passwd ERROR:
18 LDAP-UX Client Services
CFI_SEARCH_BASE_NOT_EXIST:
LDAP Error 32: Configured LDAP-UX search base does not exist.
This can occur if the serviceSearchBase uses a relative base DN, as is configured by autosetup, such as:
serviceSearchDescriptor: passwd:ou=People,
Workaround If you need to modify the defaultSearchBase, be sure to put the full base DN in the serviceSearchDescriptor attributes when modifying the LDAP-UX Configuration profile. Permissions with autosetup Problem If autosetup is used to configure LDAP-UX, it will modify the existing /etc/krb5.conf file or create a new one if needed. If a new /etc/krb5.conf file is created, it will be set with permissions of -rw-------. While these permissions will not prevent usage of Windows as an authentication module for login to basic HP-UX services, it could prevent usage of other Kerberized services once the user has logged in. Workaround To address this problem, change the permission of the /etc/krb5.conf file to -rw-r--r-after autosetup completes. For example: chmod go+r /etc/krb5.conf
2.6.1 Services
When migrating Services data into the LDAP directory, users should keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports. For example: the following two lines of data can be stored into server.
chargen 19/tcp ttytst source chargen 19/udp ttytst source
However, because the port number is different, only one of the following entries can be stored in to an LDAP server: netdist 2101/tcp -ornetdist 2102/tcp
2.6.2 /etc/pam.conf
HP delivers two PAM example configuration files, /etc/pam.ldap and/etc/pam.ldap.trusted, in this release. You need to configure /etc/pam.conf properly for LDAP-UX to work as expected. When you integrate LDAP-UX Client Services with the HP-UX Directory Server and your system is in Standard Mode, the pam_unix library must be defined before pam_ldap as they are in the /etc/pam.ldap file. If your system is in the Trusted Mode, the pam_ldap library must be defined before pam_unix, and both libraries must be specified as "required" under "Session management". See Appendix C, Sample /etc/pam.ldap.trusted File, in the LDAP-UX Client Services Administrators Guide for details.
If you have another directory, you may be able to use that directory if it meets the following requirement: Supports version 3 of the LDAP specification as defined by IETF RFCs 2251 through 2256 Supports the Posix name service schema (RFC 2307) or a similar schema The schema can be extended to include the DUAConfigProfile object classes and required attributes (see above) For security, the directory should support an access control mechanism that can restrict modification rights of entries and attributes to specific users For security, the directory should support at least ldap_simple_bind authentication
passwd
group netgroup automount publickey services rpc hosts networks protocols user-defined maps
LDAP-UX Client Services using Windows 2003 R2/2008Active Directory Server currently supports passwd, group, hosts, protocols, automount, networks, rpc, and services in a single domain, and supports only passwd and group in multiple domains. It does not support netgroup and publickey service data. The LDAP-UX Client Services daemon, /opt/ldapux/bin/ldapclientd, caches only passwd, group, netgroup, automount service data.
21
Additional tools are available to perform management in the LDAP directory and include: ldaphostmgr, ldaphostlist, ldapmodify, ldapsearch, ldapdelete, and ldapentry.
22
In this situation, profiles can still be downloaded manually using the get_profile_entry command, as long as a principal and password provided on the command line.The following command shows an example of how to download the profile manually. If your profile changes frequently, you may wish to place this in a script that is called periodically by cron: /opt/ldapux/config/get_profile_entry -s NSS -D \ "<administrator@my.domain.org>" -w "<adminpassword>"
NOTE: 1. 2. Equivalent feature available directly in sendmail. The setup program does not support configuration of ADS-based printers. If the printer entry in ADS contains a "printer-uri" type attribute (see RFC3712) the configuration profile can be modified to change the attribute mapping forprinter-name and printer-uri to match that of printer descriptions in ADS. However this feature is not officially supported.
2.6 Limitations in LDAP-UX Client Services 23
3. 4. 5.
6. 7.
netgroups may not be stored in ADS. pam_kerberos has been integrated with LDAP to fully support Windows domain authentication and should be used instead of pam_ldap. LDAP-UX supports coexistence Trusted Mode and Standard Mode security features. Identities stored in the local host are controlled by the local security policy. Identities stored in an LDAP directory are controlled by the LDAP security policy. NSS refers to the Name Service Subsystem, such as passwd, group, etc... For more information, refer to the nsswitch.conf(4) man page. PAM refers to the Pluggable Authentication Module subsystem. For more information, refer to the pam(3) man page.
24
3 NIS/LDAP Gateway
This section provides information about known problems fixed in NIS/LDAP gateway, compatibility and installation requirements, as well as limitations in NIS/LDAP Gateway B.04.10. The main component of the NIS/LDAP Gateway is ypldapd, a replacement for ypserv, the NIS server. This software caches the NIS data to maintain good performance. NIS/LDAP Gateway is compatible with the RFC2307 specification (a schema for storing Posix account and administration data in an LDAP directory). Because the NIS/LDAP Gateway software emulates a ypserv, your NIS clients can start using an LDAP directory without modification. However, with this software you cannot modify your LDAP account information from an NIS client (that is, you cannot use chfn(1), chsh(1) or passwd(1) to change your account information). To achieve this, install the LDAP Client Administration Tools (NisLdapClient subproduct) on some or all of your NIS clients.
If you have already configured other NIS/LDAP Gateway servers on other systems, you can simply duplicate the configuration file /opt/ldapux/ypldapd/etc/ypldapd.conf on the local system. Otherwise, edit the file /opt/ldapux/ypldapd/etc/ypldapd.conf and add the appropriate values according to the descriptions in the file. Minimally you will need to update the ypdomain, ldaphost, basedn, binddn and bindcred parameters. If you have a large LDAP database and you are using 11i v2 or v3 NIS clients, you should set preload_maps to preload_maps group.bynam. The user you identify in the binddn must be an LDAP directory user that is allowed to read the userPassword attribute. If the NIS domain you use is the same as the domain being used by an existing NIS server, you must stop and disable the NIS server. You can do this by executing the command /sbin/init.d/nis.server stop to stop the NIS server. Then change NIS_SLAVE_SERVER and NIS_MASTER_SERVER to 0 in the file /etc/rc.config.d/namesvrs.
Once your NIS/Gateway server is running, you can test your setup with a ypcat(1) command, such as ypcat group. You may need to wait (up to a minute) as the ypbind(1M) process attempts to find the new NIS/LDAP Gateway server. To avoid this wait, you can stop and restart the client as follows before issuing the ypcat command:
/sbin/init.d/nis.client stop /sbin/init.d/nis.client start
26
NIS/LDAP Gateway
27
28
4.1 Contacting HP
29
4.2 Documentation
The documentation below is available on the HP-UX Documentation web site at http:// www.hp.com/go/hpux-security-docs (Click HP-UX LDAP-UX Integration Software) or where indicated. Table 4-1 Documentation for LDAP-UX Client Services and NIS/LDAP Gateway
Title LDAP-UX Client Services B.05.00 Administrators Guides Description How to install, configure, administer, tune and troubleshoot the LDAP-UX Client Services. (part number J4269-90086)
LDAP-UX Client Services B.05.00 with How to install, configure, administer, tune, and troubleshoot the LDAP-UX Microsoft Windows Active Directory Server Client Services with Windows Active Directory Server. (part number Administrators Guide J4269-90087) LDAP-UX Integration Product B.05.00 Release Notes (this document) Describes the latest changes, and known problems in the LDAP-UX Client Services. (part number J4269-90088)
NIS/LDAP Gateway Administrators Guide How to install, configure, administer, tune and troubleshoot the NIS/LDAP Gateway. (part number J4269-90028) README files (/opt/ldapux/README-LdapUxClient) briefly describes the installation, late changes, and known problems in LDAP-UX Client Services (/opt/ldapux/README-NisLdap) briefly describes the NIS/LDAP Gateway (/opt/ldapux//bin/README-ADMIN) briefly describes the instructions on how to simplify LDAP directory administration from LDAP-UX clients
For more information about LDAP-UX Integration and related products and solutions, visit the following HP website: http://h71028.www7.hp.com/enterprise/us/en/os/hpux11i-security-components.html
Title of a book or other document. A website address that is a hyperlink to the site. Text that is emphasized.
Text that is strongly emphasized. The defined use of an important word or phrase. Command name or qualified command phrase. Commands and other text that you type. Text displayed by the computer. Name of a daemon, parameter, or parameter option. The name of an environment variable, for example PATH or errno. A value that you may replace in a command or function, or information in a display that represents several possible values. The contents are optional in formats and command descriptions. The contents are required in formats and command descriptions. Separates items in a list of choices. In the following example, you must specify either item-a or item-b: {item-a | item-b} The continuous line symbol. HP-UX manpage. In this example, find is the manpage name and 1 is the manpage section. The name of a keyboard key. Note that Return and Enter both refer to the same key. A sequence such as Ctrl+A indicates that you must hold down the key labeled Ctrl while pressing the A key.
\ find(1) Enter
31