LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

181

182

183

184

185

186

187

188

189

190

Table 6-8 Return Codes for ldapugmod (continued)

Duplicate modification requests are found in the

command options. For example,

ldapugmod -A "cn=Mike

Lee" -A "cn=Mike Lee” mlee

After running the above command, ldapugmod exits

with the MOD_DUP_REQUEST error status because

duplicate modification requests are specified.

MOD_DUP_REQUEST

Conflict modification requests are found in the command

options.

MOD_CONFLICT_REQUEST

Rename entry's RDN failed.

MOD_RENAME_RDN_FAILED

The specified command deletes the existing value in the

RDN, but no new value for the RDN has been provided.

MOD_NEW_RDN_NEEDED

The account entry being added is already a member of

the specified group.

MOD_MEMBER_EXIST

The user's home directory does not exist.

MOD_HOMEDIR_DOESNOT_EXIST

Cannot move user's home directory, missing information.

MOD_MISSING_INFORMATION

6.3.6.6 Security Considerations

Be aware of the following security considerations when you use ldapugmod:

• The ldapugmod tool requires an LDAP administrator permissions when it performs

operations on the directory server. The rights to modify existing LDAP directory entries

under the requested subtree, and to create, modify and remove the required attributes in

that entry must be granted to the administrator identity that you specify when executing

ldapugmod.

• With any POSIX-type identity, the user and group ID numbers are used by the HP-UX

operating system to determine rights and capabilities in the OS as well as in the file system.

For example, a root user ID 0 has unlimited OS administration and file access rights. Before

modifying an entry, you must be aware of the selected user and group ID number and any

policy that may be associated with that ID.

• Modification (renaming) of a POSIX account does not automatically modify that account’s

membership in groups, unless the LDAP directory server intrinsically provides that capability.

Some LDAP directory servers have a feature known as “referential integrity”, which performs

modification or removal of DN-type attributes if the specified DN is either changed or

removed

• As it may occur in any identity repository, modification of this repository will likely have

impacts as defined by the organization security policy. When using ldapugmod, you are

expected to have full knowledge of the organization security policy and the impact of

modifying identity information in that identity repository.

6.3.6.7 Limitations

Because LDAP directories require data be stored according to the UTF-8 (RFC3629) character

encoding method, all characters displayed by ldapugmod are UTF-8, and assumed to be part of

the ISO-10646 character set. The ldapugmod tool does not perform conversion of the locale

character set to or from the UTF-8 character set.

6.3.6.8 Examples

The following commands set the LDAP_BINDDN and LDAP_BINDCRED environment variables:

export LDAP_BINDDN = "cn=Jane Admin,ou=admins,dc=example,dc=com" export LDAP_BINDCRED

= "Jane_Password"

6.3 LDAP User and Group Management Tools 183