Manualshelf

LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
61626364656667686970
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
Chapter 2 49
Password for an Admin Proxy User
In order to protect user’s secret keys in the LDAP directory, the secret
keys are encrypted using the user’s password. This process is used in
NIS as well as NIS+ environments. The host’s secret key must also be
encrypted. Since the host itself does not have its own password, root’s
password is used to encrypt the host’s secret key. The chkey or newkey
command prompts for root’s password when changing or adding a key for
a host. For this reason, you may wish to configure the Admin Proxy user
in the LDAP directory to have the same password as the root user on the
master host. Although it is not required that the Admin Proxy user and
root user share the same password, it allows you to avoid storing the
Admin Proxy user’s password in the /etc/opt/ldapux/acred file. In
such case, when you run the ldap_proxy_config -A -i command to
configure the Admin Proxy user, you enter only Admin Proxy user’s DN
without the password. LDAP-UX will use the root’s password given to
the chkey and newkey commands as the Admin Proxy user’s password to
perform public key operations. However, the ldap_proxy_config -A -v
command will not be able to validate the Admin Proxy user because no
password is available to ldap_proxy_config. As a result, the message
"No password is provided. Validation is not performed” will be
displayed.
Setting ACI for Key Management
Before storing public keys in an LDAP server, LDAP administrators may
wish to update their LDAP access controls such that users can manage
their own keys, and the Admin Proxy user can manage host keys. This
section describes how you set up access control instructions (ACI) for an
Admin Proxy user or a user.
Setting ACI for an Admin Proxy User
With Netscape Directory Server 6.11 and 6.21, you can use the Netscape
Console or ldapmodify to set up ACI, which gives an Admin Proxy user
permissions to manage host and user keys in the LDAP directory.
An Example
The following ACI gives the permissions for the Admin Proxy user
uid=keyadmin to read, write, and compare nissecretkey and
nispublickey attributes for hosts and users:
dn:dc=org,dc=hp,dc=com