LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

191

192

193

194

195

196

197

198

199

200

Example 6-2 Extending administrator accounts with posixAttributes

1. Identify the account to extend:

# /opt/ldapux/bin/ldapuglist -F "(cn=bob alison)" \*

dn: cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com

cn: Bob Alison

gecos: Bob Alison,+1-303-555-5432

2. Add posixAccount attributes using the -O option of ldapugmod:

# /opt/ldapux/bin/ldapugmod -P -O -n balison -u 1234 -g users -d /home/balison \

-s /usr/bin/sh -D "cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com"

# /opt/ldapux/bin/ldapuglist -n balison \*

dn: cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com

cn: Bob Alison

uid: balison

uidNumber: 1234

gidNumber: 20

loginShell: /usr/bin/sh

homeDirectory: /home/balison

gecos: Bob Alison,+1-303-555-5432

If Bob Alison is not already a member of a privileged group, then you can add him as a member

of the Host Administrators group, using a similar command as in the previous example:

/opt/ldapux/bin/ldapugmod -t group -P -a balison HostAdmins

NOTE: In the previous examples, the HostAdmins group is a posixGroup. By default, the

ldapugmod tool only works with posixGroups. However, you can still use ldapugmod to modify

non-posixGroups if your LDAP-UX profile specifies LDAP-style attribute mapping for LDAP-style

groups, and you use the -D option to specify the full DN of the group you want to manage.

If you use groupOfUniqueNames for your LDAP-style groups, then your attribute mapping for

group membership as defined in the LDAP-UX configuration profile should be:

attributemap: group:memberUid=uniqueMember member memberUid

If you use groupOfNames for your LDAP-style groups, then your attribute mapping for group

membership as defined in the LDAP-UX configuration profile should be:

attributemap: group:memberUid=member uniqueMember memberUid

To modify a non-posixGroup, you need to use the -D option when specifying the group to modify.

For example, assume in the following that cn=Host Administrators is a groupOfNames,

but not a posixGroup. It is possible to add balison as a member using the above attributeMap

and the following command:

/opt/ldapux/bin/ldapugmod -t group -P -a balison \

-D "cn=Host Administrators,ou=Groups,dc=mydomain,dc=example,dc=com"

6.3 Managing keys in the directory server

If you have not yet set up a directory server to manage your host information, you can use the

LDAP-UX guided installation to create a new directory server and configure LDAP-UX to manage

hosts in that directory server. The guided installation sets up an environment that meets the host

repository requirements described in the previous section.

After you establish a repository and security framework for your host information, as described

in the previous section, you can begin to manage those hosts. The remainder of this section

describes how to properly configure HP-UX hosts to use the central repository for ssh keys and

how to manage the hosts and their keys.

200 Managing ssh host keys with LDAP-UX