LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

191

192

193

194

195

196

197

198

199

200

the sshPublicKey attribute. This ACI is automatically created if you create a new directory

server instance using the guided installation.

dn: dc=mydomain,dc=example,dc=com

aci: (targetattr = "*")(version 3.0;acl "[DOMAINADMIN:ALL:ALL]: Allow changes

by Domain Administrators";allow (all) (groupdn = "ldap:///cn=DomainAdmins

,ou=Groups,dc=mydomain,dc=example,dc=com");)

dn: ou=Hosts,dc=mydomain,dc=example,dc=com

aci: (targetattr = "sshPublicKey || ipHostNumber") (version 3.0;acl "[OWNER:WR

ITE:HOSTOWNERATTRS]: Allow owner modification of host information";allow (re

ad,compare,search,write,delete,add) userattr = "owner#USERDN";)

aci: (targetattr = "objectclass || cn || dn || owner || host || ipHostNumber |

| ipNetmaskNumber || ipNetworkNumber || ipProtocolNumber || ipServicePort ||

ipServiceProtocol || sshPublicKey || oncRpcNumber || userPassword || userCe

rtificate" )(version 3.0;acl "[HOSTADMIN:READ-WRITE:HOSTATTRS]: Allow change

s to Unixattributes by Host Administrators";allow (all) (groupdn = "ldap:///

cn=HostAdmins,ou=Groups,dc=mydomain,dc=example,dc=com");)

6.2.6 Administrative users

Any user with the right to modify the sshPublicKey attribute for a host is considered an ssh

key administrator. As seen from the rights in the previous example, anyone that is a member of

the DomainAdmins or HostAdmins groups or is listed as the owner (the owner attribute has

the DN of the user), is considered an ssh key administrator. As mentioned previously, to protect

the integrity of the sshPublicKey attribute, this list of users should be restricted to trusted

administrators.

In addition to creating a trusted list of administrators, ldaphostmgr allows for management

of keys not only on the local host, but also on any remote host that is a member of the same

LDAP-UX domain (uses the same LDAP-UX configuration profile). However, for remote

administration to function, the administrators’ accounts must also be assigned POSIX account

attributes (this is not required if remote administration is not desired.)

You can create an administrator that has the rights to manage ssh public keys using the

ldapugadd and ldapugmod utilities, as in Example 6-1the following example:

Example 6-1 Creating an administrator that has the rights to manage ssh public keys

1. Create the new account using ldapugadd:

# /opt/ldapux/bin/ldapugadd -P -f "Alice Bobson" abobson Surname=Bobson

# /opt/ldapux/bin/ldapuglist -n abobson

dn: uid=abobson,ou=people,dc=mydomain,dc=example,dc=com

cn: Alice Bobson

uid: abobson

uidNumber: 3840

gidNumber: 20

loginShell: /usr/bin/sh

homeDirectory: /home/abobson

gecos: Alice Bobson

2. Add the user to one of the privileged groups (HostAdmins in this case):

# /opt/ldapux/bin/ldapugmod -P -t group -a abobson HostAdmins

# /opt/ldapux/bin/ldapuglist -t group -n HostAdmins

dn: cn=HostAdmins,ou=Groups,dc=mydomain,dc=example,dc=com

cn: HostAdmins

memberUid: domadmin

memberUid: abobson

If you already have users that are considered administrators, but do not have posixAccount

information attached to their directory server entries, you can use the ldapugmod command to

extend their accounts with POSIX attributes. The following example shows how to extend

posixAccount attributes to an existing user:

6.2 Setting up the key management domain 199