LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

131

132

133

134

135

136

137

138

139

140

except dynamic_group. If this limit is reached, new entries are not cached

until enough expired entries are freed to allow it.

The default value is 10000000.

state_dump_time=<0-2147483647>

As state, functions like a virtual between the client and LDAP server, is

created for setXXent() request, and stays for the subsequent

getXXent() requests. If no get requests are received in the specified

time interval (in seconds), the state will be removed. The default value

is 300 (in seconds).

max_enumeration_states=<0-95>[%]

The maximum number of states that ldapclientd allows. It means

the number of enumeration ldapclientd will handle simultaneously.

This number must be less than max_conn and it is configured as a

percentage of max_conn. The minimum value is 0% and maximum value

is 95%. The default value is 80%. A value of 0% disables enumeration.

poscache_ttl=<1-2147483647>

The time, in seconds, before a cache entry expires from the positive

cache. There is no [general] default value for this setting. Each cache

section has its own default values (listed below). Specifying a value

under [general] will override poscache_ttl defaults in other

sections (where there is no specific poscache_ttl definitions for that

section).

negcache_ttl=<1-2147483647>

The time, in seconds, before a cache entry expires from the negative

cache. There is no [general] default value for this setting. Each cache

section has its own default value.

proxy_is_restricted=yes|no

If the proxy user is configured in the LDAP-UX profile and defined in

/etc/opt/ldapux/pcred, this flag attests that the proxy user does

not hold privileged LDAP credentials, meaning the proxy user is

restricted in its rights to access "private" information in the directory

server. As of release B.05.00, ldapclientd provides a local interface

to allow specialized directory-enabled applications to access arbitrary

attributes in HP-UX related directory entries. By default, and if set to

no, ldapclientd will not allow access to attributes beyond that of the

RFC2307 schema as well as any attribute defined using the

allowed_attribute token. If proxy_is_restricted is set to yes,

then you are attesting that the directory server is restricting access to

private or other confidential information from access by the proxy user.

This allows specialized applications to access any attribute visible to the

proxy user. The default value for this setting is no, meaning

ldapclientd assumes the proxy user has rights beyond that of a

non-privileged user.

allowed_attribute=service:attribute

Some applications, like /opt/ssh/bin/ssh, use ldapclientd to

access information in the directory server, such as the sshPublicKey

for users and hosts. By setting this parameter, applications can access

any defined attribute even if the proxy_is_restricted value is set

to no (the default). There is no internal default set for this parameter. If

allowed_attribute is not specified, no attributes beyond that defined

in RFC2307 (and as mapped in the configuration profile) will be

5.1 Using the LDAP-UX client daemon 133