LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

171

172

173

174

175

176

177

178

179

180

objectClass: ipHost

objectClass: ldapPublicKey

objectClass: domainEntity

owner: uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com

sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvrJ...

entityRole: DBSERVER

dn: cn=raptor,ou=Hosts,dc=mydomain,dc=eample,dc=com

cn: raptor

ipHostNumber: 16.92.96.215

objectClass: top

objectClass: device

objectClass: ldapPublicKey

objectClass: iphost

objectClass: domainEntity

owner: uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com

sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxe1...

entityRole: DBSERVER

5.6.7 Managing process access rights (proxy_is_restricted)

If you have configured LDAP-UX to use anonymous access to the directory server, you can skip

this section.

Under specific conditions described below, the ldaphostlist utility will not allow the user to

display arbitrary attributes associated with host entries managed in the directory server. If you

try to display an attribute and cannot view it as expected, you can use the -v option to verify

whether this attribute was restricted, as shown in the following example. Suppose a user wanted

to display the owner of a host and gets a warning message like the one in the example:

# ldaphostlist -n brewer owner

dn: cn=brewer,ou=Hosts,dc=mydomain,dc=eample,dc=com

cn: brewer

ipHostNumber: 0.0.0.0

# ldaphostlist -v -n brewer owner

WARNING: LST_ATTR_RESTRICTED:

Attribute "owner" is ignored. Access rights to the attribute can not

be determined because proxy access has been defined but

proxy_is_restricted has not been set. Contact your system

administrator.

dn: cn=brewer,ou=Hosts,dc=mydomain,dc=eample,dc=com

cn: brewer

ipHostNumber: 0.0.0.0

This message can occur if LDAP-UX is configured to use a proxy user to access the directory

server data. This is very common in an ADS environment, since by default, the ADS directory

server does not allow anonymous access to data.

If you have installed and configured a previous version of LDAP-UX or did not use the guided

installation (autosetup) to configure LDAP-UX, you would have defined your own proxy user.

Because the ldaphostlist uses this same proxy user to access directory server data,

ldaphostlist needs to know if the proxy user has access to data that a nonprivileged user

should not be allowed to view. For example, if the proxy user was defined as

cn=administrator,cn=user,dc=mydomain,dc=example,dc=com (for a Windows domain)

or cn=Directory Manager (for an HP-UX Directory Server), the proxy user has rights to

access any data in the directory server. While it would be bad practice to create a proxy user

with privileged access rights, normally the proxy user is only used by ldapclientd, which

limits what information it requests from the directory server. However, because the user can

instruct ldaphostlist to view any attribute, ldaphostlist does not allow users to specify

any attribute to be viewed, since these tools do not know if the proxy user has more privileges

than should be granted to the user running the utility.

When a host is configured using the guided installation, an entry representing the host is created;

this entry is also used as the proxy user for the OS. Because his host entry is created without

180 Administering LDAP-UX Client Services