LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

in the directory at ou=groups,ou=unix,o=hp.com, allows only the directory administrator

to modify entries below ou=groups,ou=unix,o=hp.com:

aci: (targetattr = "*")(version 3.0;acl "Disallow

modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory

Administrators, o=hp.com");)

4. Grant read access of all attributes of the posix schema.

Ensure all users have read access to the posix attributes.

When using PAM_LDAP as your authentication method, users do not need read access to

the userPassword attribute since the authentication is handled by the directory itself.

Therefore, for better security, you can remove read access to userPassword from ordinary

users.

5. Configure anonymous access, if needed. If you do not configure a proxy user, then the

attributes of your name service data must be readable anonymously.

6. Create a proxy user in the directory, if needed.

To create a proxy user with Netscape/Red Hat Directory Server for HP-UX, use the Directory

Console, Users and Groups tab, Create button. For example, you might create a user

uid=proxyuser,ou=Special Users,o=hp.com.

7. Set access permissions for the proxy user, if configured.

Give the proxy user created above read permission for the posix account attributes.

With Netscape Directory Server, for example, the following ACI gives a proxy user permission

to compare, read, and search all posix account attributes except the userPassword attribute:

aci: (target="ldap:///o=hp.com")(targetattr!="userpassword")

version 3.0; acl "Proxy userpassword read rights"; allow

(compare,read,search) userdn = "ldap:///uid=proxyuser,ou=Special

Users,o=hp.com";)

8. The default ACI of Netscape Directory Server 6.11 allows a user to change his own common

attributes. But, for Netscape Directory Server 6.21 or later, you need to set ACI that gives a

user permission to change his own common attributes. By default, the Netscape Directory

Server 6.21 or later provides the following ACI named Enable self write for common

attributes that gives a user permission to change his own common attributes:

aci: (targetattr = "carLicense

||description ||displayName ||facsimileTelephoneNumber ||homePhone

||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile

||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod

||preferredLanguage ||registeredAddress ||roomNumber ||secretary

||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate

||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")

(version 3.0; acl "Enable self write for common attributes"; allow

(write) (userdn = "ldap:///self"))

You can modify the default ACI and give appropriate access rights to change your own

common attributes.

9. Index important attributes for better performance of Directory Server.

Since many of your directory requests will be for the attributes listed below, you should

index these to improve performance. If you don't index, your directory may search

sequentially causing a performance bottleneck. As a rule of thumb, databases containing

more than 100 entries should be indexed by their key attributes.

The following attributes are recommended for indexing:

• cn

• objectclass

• memberuid

• uidnumber

• gidnumber

28 Installing And Configuring LDAP-UX Client Services