Install Requirements for the AD Bridge Agent

This section lists requirements for installing and running the AD Bridge agent.

Environment Variables

Before you install the AD Bridge agent, make sure that the following environment variables are not set:

  • LD_LIBRARY_PATH
  • LIBPATH
  • SHLIB_PATH
  • LD_PRELOAD

Setting any of these environment variables violates best practices for managing Unix and Linux computers because it causes AD Bridge to use non-AD Bridge libraries for its services.

For more information on best practices, please see When Should I Set LB_LIBRARY_PATH?.

If you must set LD_LIBRARY_PATH, LIBPATH, or SHLIB_PATH for another program, put the AD Bridge library path (/opt/pbis/lib or /opt/pbis/lib64) before any other path, but keep in mind that doing so may result in side effects for other programs, as they will now use AD Bridge libraries for their services.

If joining the domain fails with an error message that one of these environment variables is set, stop all the AD Bridge services, clear the environment variable, make sure it is not automatically set when the computer restarts, and then try to join the domain again.

Patch Requirements

We recommend that the latest patches for an operating system be applied before installing AD Bridge.

Sun Solaris

All Solaris versions require the md5sum utility, which can be found on the companion CD.

Visit the Oracle Technology Network Patching Center to ensure the latest patches are deployed to Solaris targets.

HP-UX

Visit the HP Software Depot to download patches.

Secure Shell: For all HP-UX platforms, we recommend that a recent version of HP's Secure Shell be installed.

Sudo: By default, the versions of sudo available from the HP-UX Porting Center do not include the Pluggable Authentication Module, or PAM, which AD Bridge requires to allow domain users to execute sudo commands with super-user credentials. We recommend that you download sudo from the HP-UX Porting Center and make sure that you use the with-pam configuration option when you build it.

HP-UX 11iv1 requires the following patches:

  • PHCO_36229
  • PHSS_35381
  • PHKL_34805
  • PHCO_31923
  • PHCO_31903
  • PHKL_29243

The patches listed here represent the minimum patch level for proper operation. The patches might be superseded by later patches.

Kerberos client libraries: For single sign-on with HP-UX 11.11 and 11.23, install the latest KRB5-Client libraries from the HP Software Depot. By default, HP-UX 11.31 includes the libraries.

Other Requirements for the Agent

Locale

Configure the locale with UTF-8 encoding for every target computer.

Secure Shell

To properly process logon events with AD Bridge, the SSH server or client must support the UsePam yes option.

For single sign-on, both the SSH server and the SSH client must support GSSAPI authentication.

Other Software

Telnet, rsh, rcp, rlogin, and other programs that use PAM for processing authentication requests are compatible with AD Bridge.

Networking Requirements

Each Linux or Unix computer must have fully routed network connectivity to all the domain controllers that service the computer's Active Directory site. Each computer must be able to resolve A, PTR, and SRV records for the Active Directory domain, including at least the following:

  • A domain.tld
  • SRV _kerberos._tcp.domain.tld
  • SRV _ldap._tcp.domain.tld
  • SRV _kerberos._udp.sitename.Sites._msdcs.domain.tld
  • A domaincontroller.domain.tld

Disk Space Requirements

The AD Bridge agent requires 100MB of disk space in the /opt mount point.

The agent also creates configuration files in /etc/pbis and offline logon information in /var/lib/pbis.

The AD Bridge agent caches Group Policy Objects (GPOs) in /var/lib/pbis.

Memory and CPU Requirements

  • RAM: The agent services and daemons can use between 9MB – 14MB:
    • Authentication service on a 300-user mail server is typically 7MB
    • Other services and daemons require between 500KB and 2MB each
  • CPU: On a 2.0GHz single-core processor under heavy load with authentication requests is about 2 percent.

For a description of the AD Bridge Enterprise services and daemons, please see Install Requirements for the AD Bridge Agent.

Clock Skew Requirements

For the AD Bridge agent to communicate over Kerberos with the domain controller's Kerberos key distribution center, the clock of the client must be within the domain controller's maximum clock skew, which is 300 seconds, or 5 minutes, by default.

For more information, please see Synchronize Time Between AD Bridge and the Domain Controller

Additional Requirements for Specific Operating Systems

AIX

On AIX computers, PAM must be enabled. LAM is supported only on AIX 5.x. PAM must be used exclusively on AIX 6.x.