LDAP-UX Client Services B.05.00 Administrator's Guide
If you did not configure LDAP-UX on the current host using the guided installation, you might
not have an entry in the directory server that represents the current host. In that case, you can
add the host using the -a option of the ldaphostmgr command as follows:
brewer(): id
uid=8507(domadmin) gid=220(ldap) groups=88(DomainAdmins)
brewer(): ldaphostmgr -a -f -k rsa "$(hostname)"
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
brewer(): ldaphostlist -k -n "$(hostname)"
dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: brewer
cn: brewer.mydomain.example.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAA...== BEGIN-KM creationtime=20100423234903Z END-KM
In this example, the -a option is used to indicate that the host should be added as a new entry
to the directory server. The -f option indicates that the fully qualified domain name should be
added. And the -k option indicates the RSA (protocol version 2) key should be added. Other
key types can be used. The -k option also accepts rsa1, dsa, and the all key-type, which means
add/modify all three key types.
NOTE: Whenever you add a new host to the directory server that will contain sshPublicKeys,
you must use the -f option to add the fully qualified domain name (FQDN) for the host, if the
FQDN has not already been set. The ssh toolset uses network naming services (typically DNS)
to determine the host name of IP addresses for hosts. In so doing, it resolves to a fully qualified
domain name, which ssh needs to validate in the directory server. Notice that in the previous
example, you can see the cn attribute listed twice, once with the short name and once with the
FQDN.
The ldaphostmgr and ldaphostlist tools provide a smoother user interface for entering
user credentials when used by accounts that have posixAccounts managed in the directory server.
For the purposes of this demonstration, the domadmin user is used, which is created by default
when a new directory server instance is created using the guided installation.
When ldaphostmgr is used to add a new host, it determines the location to add the host using
the LDAP-UX configuration profile. By default, when using a guided installation, this location
is ou=Hosts,defaultBaseDN. You can use the ldapcfinfo command to determine the
location that ldaphostmgr will use:
# /opt/ldapux/bin/ldapcfinfo -t hosts -b
ou=Hosts,dc=mydomain,dc=example,dc=com
See Section 6.2.2 (page 197) for additional information. If you wish to place the host in a different
location of the directory server tree, you can use the -B option.
While ldaphostmgr can be used to add the current ssh public keys of the local host, it is also
possible to add keys of other remote HP-UX hosts managed by LDAP-UX that are in the current
LDAP-UX domain. Just specify the name of the remote host; however, if ldaphostmgr has no
way to identify the remote host, it displays an ssh-like warning message to indicate this:
chef (): ldaphostmgr -a -f -k rsa baker
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
WARNING: The identity of the host "baker" could not be verified.
SSH key fingerprint: b4:2f:45:c2:b0:17:a2:7b:a0:a7:88:61:a9:36:f2:4c.
The SSH key for the remote host is unknown. This host's key is currently not
managed in the directory server and should be positively identified before
adding this key to the directory server. Once added, this key will be
trusted by all other LDAP-enabled ssh clients. Using ldaphostmgr on the
remote host, instead of adding this key remotely, will avoid generating
this warning message. Do you wish to trust this key (y/n)?: n
ERROR: HST_UNTRUSTED_REMOTE_HOST:
The identity of the host "baker" could not be verified. SSH key
202 Managing ssh host keys with LDAP-UX