Manualshelf

LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
51525354555657585960
Setting ACI for a User
The default ACI of Netscape Directory Server 6.11 allows a user to change his own nispublickey
and nissecretkey attributes. For Netscape Directory Server 6.21, you need to set up ACI which
gives a user permission to change his own nissecretkey and nispublickey attributes. Use
the Netscape Console or ldapmodify to set up ACI for a user.
An Example
The following ACI gives a user permission to change his own nissecretkey and
nispublickey attributes for user keys:
dn:ou=People,dc=org,dc=hp,dc=com
aci:(targetattr ="nissecretkey||nispublickey")(version 3.0;
acl "Allow key self modification";allow (write)
(userdn = "ldap:///self");)
Configuring serviceAuthenticationMethod
serviceAuthenticationMethod is a newly supported attribute of the configuration profile,
/opt/ldapux/ldapux_profile.ldif. It's function is the same as authenticationMethod,
but it allows authentication configuration for specific name services. The
serviceAuthenticationMethod attribute is created to resolve issues that may arise when
the default authentication method is not considered secure enough for specific name services.
For example, if the default authenticationMethod is configured as NONE then the newkey
and chkey commands would not know how to properly bind to the directory server when
changing or adding key pairs. LDAP-UX only supports the serviceAuthenticationMethod
attribute for the keyserv service, since the keyserv service is the only one that currently needs
modification of privileges in the directory server.
To perform newkey and chkey operations, LDAP-UX binds the Admin Proxy user to the LDAP
directory using the authentication method specified in serviceAuthenticationMethod.
LDAP-UX only supports serviceAuthenticationMethod for keyserv. Any other services
configured in serviceAuthenticationMethod will be ignored.
Configuring serviceAuthenticationMethod is optional. If you do not configure
serviceAuthenticationMethod, LDAP-UX binds the Admin Proxy user to the LDAP
directory using the authentication method specified for the proxy user.
Authentication Methods
LDAP-UX Client Services supports the following authentication methods for the keyserv service:
simple with SSL enabled
SASL DIGEST-MD5 with SSL enabled
simple with SSL disabled
SASL DIGEST-MD5 with SSL disabled
NOTE: SSL settings for both authenticationMethod and serviceAuthenticationMethod
must be set the same. It is not supported to have SSL enabled for authenticationMethod and
SSL disabled for serviceAuthenticationMethod, or vice versa.
Procedures Used to Configure serviceAuthenticationMethod
Use the following steps on one of LDAP-UX client sytems to configure the
serviceAuthenticationMethod attribute in the
/etc/opt/ldapux/ldapux_profile.ldif file:
Configure LDAP-UX Client Services with Publickey Support 53