UNIX Administratosphere

The utility used to create and manipulate the keys is certutil, found as /opt/ldapux/contrib/bin/certutil. The certutil utiltiy is actually a tool created by the Mozilla project, and it has a detailed explaination available. HP only supports the use of Netscape Directory Server or Microsoft Windows Active Directory. Mainly, this means that the docs are there and that they will help you if need be; it doesn’t mean it doesn’t work. The relevant documentation (at least for my versions of HP-UX 11i) is:

• LDAP-UX Client Services B.04.00 Administrator’s Guide (J4269-90053) (PDF)
• LDAP-UX Client Services B.04.00 with Windows Active Directory Administrator’s Guide (J4269-90049) (PDF)

It appears, however, that there is a more recent version of LDAP-UX:

• LDAP-UX Client Services B.04.15 Administrator’s Guide (J4269-90075) (PDF)
• LDAP-UX Client Services B.04.15 with Microsoft Windows Active Directory Administrator’s Guide (J4269-90076) (PDF)

A good description of the schema LDAP-UX wants was given by Simon Elder in this message. There is a copy of the HP LDAP-UX Schema available; it appears to be some sort of standard POSIX schema.

Here, we assume that LDAP-UX is already configured using non-SSL connections, that the /etc/pam.conf has been configured, and that the name service switch file /etc/nsswitch.conf has been configured.

The best time to set up SSL and TLS is before you run LDAP; however, it is possible to do it afterwards. First, you need the certificate authority (CA) certificate from the server (just one). Make sure your certificate database is cleared first:

rm -f /etc/opt/ldapux/key3.db
rm -f /etc/opt/ldapux/cert[78].db

Make sure that you are deleting the right files. Once these are deleted, change directories to /opt/ldapux and run this command against your server’s key (cert.ca in this example) in order to properly populate the database:

/opt/ldapux/contrib/bin/certutil -N -d /etc/opt/ldapux
/opt/ldapux/contrib/bin/certutil -A -n my-ca-cert -t "C,," -d /etc/opt/ldapux -a -i cert.ca

This will populate the database that the LDAP-UX client uses. Then run the set up to reconfigure:

cd /opt/ldapux/config
./setup

When the setup program asks if you want to re-enter the data (server, etc.) answer Yes. The program will then fully configure the client to use SSL, and will restart the client when necessary.

Recently I had the problem of ksh logins under HP-UX hanging. The symptom was that the login process would appear to work, all of the system profile and the user’s profile would be executed, then the login would hang.

This happened in Korn shell (ksh), but not the default POSIX shell (sh).

Turns out this is a FAQ (!) even though it’s something I’ve not run into these many years. In the comp.sys.hp.hpux faq it is question and answer 8.7. The answer to both symptoms is the fact that the history file ($HOME/.sh_history) is on an NFS mount. In the book Optimizing NFS Performance: Tuning and Troubleshooting NFS on HP-UX Systems (by Dave Olker) he discusses (in section 6.4: Avoiding NFS File Lock Hangs in Your Environment) how NFS locks can cause hangs such as the Korn shell hanging. A small portion of section 6.4 can be read online.

This also was discussed in this message thread on a LDAP mailing list. Turns out that the Korn shell was hanging as it was trying to open the history file ($LOGNAME/.sh_history). To fix the problem, move the history file to /tmp or some other local directory. One suggestion was /tmp/.sh_history.$$; there is probably a better idea which is more secure.

One solution was to make the NFS-mounted file mode 777; but this is definitely insecure and not a good idea.