Manualshelf

LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
Installing And Configuring LDAP-UX Client Services
Configure Your Directory
Chapter 2 23
Step 4. Grant read access of all attributes of the posix schema.
Ensure all users have read access to the posix attributes.
When using PAM_LDAP as your authentication method, users do not
need read access to the userPassword attribute since the authentication
is handled by the directory itself. Therefore, for better security, you can
remove read access to userPassword from ordinary users.
Step 5. Configure anonymous access, if needed. If you do not configure a proxy
user, then the attributes of your name service data must be readable
anonymously.
Step 6. Create a proxy user in the directory, if needed.
To create a proxy user with Netscape Directory Server for HP-UX, use
the Netscape Console, Users and Groups tab, Create button. For
example, you might create a user uid=proxyuser,ou=Special
Users,o=hp.com.
Step 7. Set access permissions for the proxy user, if configured.
Give the proxy user created above read permission for the posix account
attributes.
With Netscape Directory Server, for example, the following ACI gives a
proxy user permission to compare, read, and search all posix account
attributes except the userPassword attribute:
aci: (target=”ldap:///o=hp.com”)(targetattr!=”userpassword”)
(version 3.0; acl “Proxy userpassword read rights”;
allow (compare,read,search)
userdn = “ldap:///uid=proxyuser,ou=Special Users,o=hp.com”;)
Step 8. The default ACI of Netscape Directory Server 6.11 allows a user to
change his own common attributes. But, for Netscape Directory Server
6.21 or later, you need to set ACI that gives a user permission to change
his own common attributes. By default, the Netscape Directory Server
6.21 or later provides the following ACI named Enable self write for
common attributes that gives a user permission to change his own
common attributes:
aci: (targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox
||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street