Manualshelf

LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
181182183184185186187188189190
adding any special privileges, the guided installation sets a special flag (proxy_is_restricted)
inside the /etc/opt/ldapux/ldapclientd.conf file to indicate that the proxy user has
been created without any additional special privileges. This flag is also used by ldaphostlist,
to determine if it is safe to request arbitrary attributes from the directory server. ldaphostlist
assumes that the directory server has defined proper access control limits such that confidential
or private information cannot be viewed by the proxy user. The [general] section of the client
daemon configuration file (ldapclientd.conf) controls this behavior:
...
# If proxy_is_restricted is set to 1, then you are attesting that the
# directory server is restricting access to private or other confidential
# information from access by the proxy user.
proxy_is_restricted=1
# Allows the ldapclientd interface to return attributes that are associated
# with RFC2307-based services (such as users and groups), but that those
# attributes are not specifically part of the RFC2307 schema. Any attribute
# specified below should be considered public information.
allowed_attribute=hosts:sshPublicKey
allowed_attribute=passwd:sshPublicKey
Setting proxy_is_restricted to 1 means that ldaphostlist will not restrict the user from
displaying any attribute (the directory server may still deny access if access control instructions
exist to limit what is visible to the proxy user.)
Only set proxy_is_restricted to 1 if you can verify that your proxy user defined in /etc/
opt/ldapux/pcred does not have rights to access data in the directory server beyond that of
any nonprivileged user. To identify what account is defined as the proxy user, use the
ldap_proxy_config utility as follows, and then examine the directory server’s access control
settings to verify this account’s privileges:
# /opt/ldapux/config/ldap_proxy_config -p
PROXY DN: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com
5.6 Managing hosts in an LDAP-UX domain 181