HP-UX Directory Server (64-bit)

HP-UX Directory Server

A Global Directory Service

HP-UX Directory Server (HPDS) provides an industry-standard, centralized directory service on which to build your intranet or extranet.Your HP-UX servers and other directory-enabled applications use the directory service as a common, network-accessible location for storing shared data such as user and group identification, server identification, and access control information. In addition, you can extend the HP-UX Directory Server to support your entire enterprise with a global directory service that enables centralized management of all enterprise resource information.

The HPDS product replaces the Red Hat Directory Server for HP-UX (RHDS) product line. It is based on the same open source software as RHDS and includes a straightforward migration process from RHDS.

Features and Benefits

HP-UX Directory Server provides the following components and features:

• LDAP Directory: A powerful directory server specifically designed for LDAP (Lightweight Directory Access Protocol).
• Administration Console: A powerful server and directory management tool with a graphical interface. Logging in from any system connected to your network, you can configure a remote server or manage data in a centralized directory. The included Administration Server allows for remote operation (startup, shutdown, log viewing, SSL certificate management) of the directory server. The improved management console includes a new dialog that facilitates replication configuration.
• Command-line tools: Enables you to use customized scripts to update and modify your directory server and its contents.
• Schema management interface: Enables you to create custom object classes and attributes to define entries specific to your enterprise's needs.
• On-line import and export LDIF files: Helps you manage directory entries, enabling you to add, modify, and delete multiple entries.
• On-line backup and restore database: Enables you to make backups of the directory database and to restore from the backups to protect against data loss.
• SSL/TLS: Provides secure communications over the network including ciphers with up to 168-bit encryption.
• Multiple authentication methods: Enable you to configure selectable levels of security and application interoperability.
  • Simple passwords - High level application integration
  • SASL DIGEST-MD5 - Secure challenge and response
  • SASL EXTERNAL - Client-side certificates and integration in Public Key frameworks
  • SASL GSSAPI - Kerberos integration
• Multi-master replication: Provides a highly available directory service for both read and write operations.
• Support for SNMP: Permits you to monitor your directory server in real time using the Simple Network Management Protocol (SNMP).
• Chaining and referrals: Increase the power of the directory by storing a complete logical view of the directory on a single server while maintaining data on a large number of directory servers, transparently to clients. These features enable limitless scalability for the size of the directory database. Chaining is an enhancement over referrals. Where referrals inform clients where to look for requested data, chaining handles referrals for the client, freeing clients of the responsibility for finding the location of the requested data.
• Multiple databases: Provides a simple way of splitting your directory data across multiple databases to simplify the implementation of replication and chaining in your directory service.
• Password policy and account lockout:Enables you to define a set of rules that govern how passwords and accounts are managed in the directory server.
• Plug-in API: The Directory Server Plug-In API is fully supported for customer use. You can extend the functionality of the Directory Server by writing your own plug-in functions. HPE provides a Directory Server Plug-In Programmer's Guide for end-user development to further enhance the directory server for your needs.
• 64-bit versions of the server: HPDS uses 64-bit architecture, enabling you to configure very large caches. Server scalability is limited only by available memory and storage.
• Roles and class of service: A feature that provides a flexible mechanism for dynamically grouping and sharing attributes between entries.
• Database encryption: HPDS supports encryption of selected attributes within a database.
• Windows user and group synchronization: HPDS supports Windows Sync, which synchronizes changes in groups and user entries (including passwords) between HPDS and Microsoft Active Directory.

What is new in HPDS 8.1?

• Support for LDAP via UNIX sockets: While RHDS only used TCP sockets for communication with LDAP clients, HPDS now also supports using UNIX sockets by allowing LDAP via IPC (LDAPI). This is intended for applications that run on the same host as the Directory Server.
• DNA plug-in provides automatic numeric attribute assignment: A new plug-in automates the assignment of numeric IDs, such as the values for uidNumber and gidNumber for POSIX account entries. The plug-in supports assignment with no risk of collisions in multi-master replication topologies.
• memberOf plug-in provides a list of group memberships held by each user: Provides a list of groups in multiple memberOf attributes in each user entry. The new plug-in simplifies determining what groups a user belongs to. The memberOf attribute can greatly simplify access control in applications by simplifying verification of a user's group membership.
• Additional options for secure communication between servers: Server to server connections, such as those used in replication, are enhanced to support SASL/Digest-MD5 and SASL/GSSAPI (Kerberos) authentication, and encryption with Start TLS.
• More flexibility in schema management: Schema can be deployed or modified on-disk and then reloaded using a new task-based mechanism. Previously, dynamic schema changes could only be performed via LDAP which offered less control over the organization of the schema in its persistent on-disk storage.
• Improved Get Effective Rights operation: Whereas the GER operation in RHDS only showed effective rights for attributes that already existed in an entry, with HPDS, the operation can now display any effective rights for potential attributes as well (operational attributes, and those that currently do not exist in the entry but are allowed by schema).
• More tuning for Windows synchronization: In previous releases, the interval at which the Directory Server checked the Active Directory Server for updates was fixed at five minutes. This interval is now configurable.
• Option to disallow unauthenticated bind operations: A new configuration parameter allows the administrator to deny access to LDAP clients that do not provide a password. This allows improved compatibility with server applications that might misinterpret a Directory Server's success response to bind operations that lack a password.
• Account policy plug-in provides control over inactive accounts: The new account policy plug-in tracks login time stamps and provides the administrator with the option to lock accounts based on the duration of inactivity since the last login time.
• Replication agreements can be prioritized: The multi-master replication plug-in has been enhanced to allow prioritization of replication agreements. This allows the administrator to control the order in which multiple replicas are updated. This may be useful, for example, when you require that a backup master replica be updated completely before updating one or more read-only replicas accessible by client applications.
• Subtree rename and Entry Move: This feature provides the following functionalities:
  • ability to rename a node that has children
  • ability to move a node, with or without children to another parent node
• Syntax Validation Check: The current version of Directory Server does not perform any sort of syntax validation, but this release addresses this issue by providing the capability to enforce the syntax validation. Syntax validation checks every modification to attributes to make sure that the new value has the required syntax for that attribute type.
• Strict DN Syntax Enforcement: A new configurable parameter nsslapd-dn-validate-strict to enable strict DN parsing as described in RFC 4514.
• Support additional standard attribute syntaxes: Additional standard attribute syntaxes supported in this release are:
  • Numeric String
  • Bit String
  • Delivery Method
  • Enhanced Guide
  • Facsimile Telephone Number
  • Fax, Guide, Name and Optional UID
  • Printable String
  • Teletex Terminal Identifier
  • Number
• Aware Regex: A new thread aware library to improve the throughput of complex regex searches.
• Ability to shut off anonymous access: This feature adds a new config switch in cn=config, nsslapd-allow-anonymous-access that allows you to restrict all anonymous access.
• Resource limits for anonymously bound clients: Enables to set resource limits (sizelimit, timelimit, lookthroughlimit) specifically for anonymous connections.
• Requiring Secure Binds: A new configuration attribute named nsslapd-require-secure-binds, when enabled, allows a simple bind over a secure transport (SSL/TLS or a SASL privacy layer).
• Access based on the security strength of the connection: Based on how secure the connection is, a new ACI keyword minssf allows to set access control and a new global server setting in cn=config, nsslapd-minssf allows to reject operations.
• Linked attributes: This feature provides the ability to link two attributes bidirectionally together across entries, so that, when one attribute in one entry is altered, a corresponding attribute on a related entry is automatically updated.
• Entry USN (Update Sequence Number): This feature adds the USN to each updated entry. "Update" includes add, modify, modrdn and delete operations. Replicated operation is also considered as "update". The USN Plug-in provides a way for LDAP clients to know that the database has been updated.
• Named pipe log script: This feature allows the server to send the log output to a named pipe instead of a log file. Named pipe log script can:
  • log only certain events
  • log only lines that match a certain pattern
  • send a notification when a certain event is detected
  • log only the last N lines attached to a script, which is useful for enabling full error log debug levels in production environments
• In-memory debug logging: This feature enables the capturing of debug log messages in the memory instead of in a file in the production environment when issues are encountered. Features of In-memory debug logging are as follows:
  • Captures custom debug logs directly to the memory buffer.
  • Gets diagnostic images quickly when issues are encountered.
  • Can be enabled or disabled by changing configuration parameter in the dse.ldif file.
  • Performs relatively better compared to error logging, due to lesser I/O operations.
• Java6 support: HP Directory server 8.1 is enhanced to support JRE version 1.6.0.20.00. Later versions of JRE6.0 may also work.

Migration support from Sun Java System Directory Server

HPDS shares a common heritage with Sun Java System Directory Server (SJDS) and has almost identical features and capabilities. This helps provide a smooth transition from the SJDS product to HPDS, the latter which provides a stable platform that is based on current industry standards and is supportable for the long term. To make the transition even easier, HPE now provides the sjdsmig.pl script with the HPDS software (in /opt/dirsrv/contrib). This script facilitates migrating data from SJDS.

Detailed information about the HP-UX Directory Server can be found at Directory Server Documentation.

HP-UX Directory Server warnings:

Problem

HP-UX Directory Server B.08.10.07, B.08.10.05 and B.08.10.04 versions introduced a behavior that may result in attribute not being deleted in replication environment when an attribute is deleted from an entry.

Solution

A fix for this issue is identified and will be available in the next version of HP-UX Directory server. For more details on the problem and solution refer QXCR1001368887 and contact HPE support center.

Product Pricing, Packaging, and Service

The HP-UX Directory Server is provided as part of your HP-UX OE software package. Your HP-UX OE service contract covers the HP-UX Directory Server.

Note: While prior versions of Red Hat Directory Server for HP-UX 11i required additional licensing fees for use in an extranet environment, HP-UX Directory Server provides extranet support at no additional charge.