Manualshelf

LDAP-UX Client Services B.04.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
61626364656667686970
Installing And Configuring LDAP-UX Client Services
Configure LDAP-UX Client Services with Publickey Support
Chapter 250
aci:(targetattr =”objectlass||nispublickey||nissecretkey”)
(version 3.0;acl “Allow keyadmin to change key pairs”;
allow (read,write,compare)
userdn=“ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com”;)
Setting ACI for a User
The default ACI of Netscape Directory Server 6.11 allows a user to
change his own nispublickey and nissecretkey attributes. For
Netscape Directory Server 6.21, you need to set up ACI which gives a
user permission to change his own nissecretkey and nispublickey
attributes. Use the Netscape Console or ldapmodify to set up ACI for a
user.
An Example
The following ACI gives a user permission to change his own
nissecretkey and nispublickey attributes for user keys:
dn:ou=People,dc=org,dc=hp,dc=com
aci:(targetattr =”nissecretkey||nispublickey”)(version 3.0;
acl “Allow key self modification”;allow (write)
(userdn = “ldap:///self”);)
Configuring serviceAuthenticationMethod
serviceAuthenticationMethod is a newly supported attribute of the
configuration profile, /opt/ldapux/ldapux_profile.ldif. It’s function
is the same as authenticationMethod, but it allows authentication
configuration for specific name services. The
serviceAuthenticationMethod attribute is created to resolve issues
that may arise when the default authentication method is not considered
secure enough for specific name services. For example, if the default
authenticationMethod is configured as NONE then the newkey and
chkey commands would not know how to properly bind to the directory
server when changing or adding key pairs. LDAP-UX only supports the
serviceAuthenticationMethod attribute for the keyserv service, since
the keyserv service is the only one that currently needs modification of
privileges in the directory server.
To perform newkey and chkey operations, LDAP-UX binds the Admin
Proxy user to the LDAP directory using the authentication method
specified in serviceAuthenticationMethod. LDAP-UX only supports
serviceAuthenticationMethod for keyserv. Any other services
configured in serviceAuthenticationMethod will be ignored.