Configure Third-Party Libraries

When Privilege Management for Unix and Linux is configured with Kerberos, SSL, LDAP, or CURL, it requires the appropriate third-party libraries. The Privilege Management for Unix and Linux installation provides Kerberos, SSL, LDAP, or CURL libraries that are designed to work with Privilege Management for Unix and Linux. It is recommended that you install the Privilege Management for Unix and Linux third-party libraries. However, you do have the option of using your own third-party libraries.

 

Shared libraries can be adversely affected when both interactive and packaged Privilege Management for Unix and Linux installations are present on the same computer. For more information, please see Installation Preparation.

Privilege Management for Unix and Linux does not currently support shared libraries for the following operating systems: AIX 4.3, NCR, IRIX, OSF, QNX, and macOS.

Use Privilege Management for Unix and Linux Third-Party Libraries

If you have your own Kerberos, SSL, LDAP, or CURL libraries but wish to use Privilege Management for Unix and Linux third-party libraries, you should do one of the following:

  • Remove your libraries from /usr/lib or /lib and point to the Privilege Management for Unix and Linux third-party libraries in /usr/lib/beyondtrust/pb or /usr/lib/symark/pb in pb.settings.
  • Replace your third-party libraries with the Privilege Management for Unix and Linux third-party libraries in /usr/lib or /lib and specify this directory in pb.settings.

Third-Party Library File Names and Locations

If you are installing Privilege Management for Unix and Linux shared libraries, the following files are installed:

  • Kerberos:
    • llibcom_err.so.3.0
    • libk5crypto.so.3.1
    • libkrb5support.so.0.1
    • libkrb5.so.3.3
    • libgssapi_krb5.so.2.2
  • SSL:
    • libcrypto.so.1.0.0
    • libssl.so.1.0.0
  • LDAP:
    • liblber-2.4.so.0.2
    • libLDAP-2.4.so.0.2
  • CURL:
    • libcurl.so.4

Shared Library Directory Location for AIX and HP (PA RISC)

For AIX and HP (PA-RISC), the directory for installing third-party libraries must be in one of the following locations:

  • /usr/lib/beyondtrust/pb
  • /usr/lib/symark/pb
  • /usr/lib
  • /lib
  • /usr/local/lib

If any other directory is specified, it is rejected with an error message that instructs you to use one of these directory locations.

Shared Library File Name for AIX

The notation used on AIX to specify LDAP libraries is different from other platforms. On AIX, for archived third-party libraries, you need to specify the shared object that is a member of the archive and add it to the file name.

The notation for default LDAP libraries is:

  • /usr/lib/beyondtrust/pb/liblber-2.4.a(liblber-2.4.so.2.10.3)
  • /usr/lib/beyondtrust/pb/libLDAP-2.4.a(libLDAP-2.4.so.2.10.3)

For example, if libcom_err.a.3.0 is an archive and shr.0.3.0 is the actual shared object, the file specification for the member of the archive is libcom_err.a.3.0(shr.0.3.0).

For SSL and Kerberos, it is not necessary to alter the file name because the library is not an archive.

Use Your Own Third-Party Libraries

If you have chosen to configure Privilege Management for Unix and Linux with Kerberos, SSL, or LDAP, and do not load Privilege Management for Unix and Linux built-in third-party libraries, you must specify your own shared library file names. If you have Kerberos, SSL, or LDAP libraries of your own in /usr/lib or /lib and you are using them for other applications, you need to use your libraries for Privilege Management for Unix and Linux as well and not use any of the libraries in /usr/lib/beyondtrust/pb or /usr/lib/symark/pb. During the Privilege Management for Unix and Linux installation, specify no for the install option Install BeyondTrust built-in libraries, and then enter the appropriate shared library directory and filename.

For more information about the installation instructions, please see Advanced Installation Instructions Using pbinstall.

Install Third-Party Libraries in Future Installations

If you do not enable the third-party libraries during the Privilege Management for Unix and Linux installation and in the future you decide to enable Kerberos, SSL, or LDAP in your Privilege Management for Unix and Linux policy, then you must do the following:

  • Install Privilege Management for Unix and Linux third-party libraries or your own third-party libraries.
  • In the pb.settings file, do one of the following:
    • If you are using the Privilege Management for Unix and Linux third-party libraries, specify the directories to install the operating system third-party libraries in by setting the following keywords to specify the full path and library file names:
      • sharedlibkrb5dependencies
      • sharedlibssldependencies
      • sharedlibLDAPdependencies
      • sharedlibcurldependencies

If you are using your own third-party libraries, then perform the following actions.

  • Specify the Kerberos library setting and provide the full path and library file names.
  • Specify the SSL library setting and provide the full path and library file names.
  • Specify the LDAP library setting and provide the full path and library file names.
  • Specify the CURL library setting and provide the full path and library file names.
  • Ensure that your libraries are listed in the correct order. For example, if lib1 is dependent on lib2, you must list lib2 first, followed by lib1.