LDAP-UX Client Services B.05.00 Administrator's Guide
7.2.6 ldap_proxy_config tool
This tool, found in /opt/ldapux/config, configures a proxy user or an Admin Proxy user
for the client accessing the directory. It stores the proxy user information in the user proxy
credential file/etc/opt/ldapux/pcred. The Admin Proxy user information is stored in the
administrator proxy credential file /etc/opt/ldapux/acred. If you are using only anonymous
access, you do not need to use this tool. You must run this tool logged in as root. While the data
stored in the pcred and acred files are protected for root-only access and not stored in plain
text, the data is not encrypted.
The /etc/opt/ldapux/pcred file is used to contain credentials that represent all users of the
HP-UX OS to the directory server. For example, when a user wishes to run the ls -l command
to see who owns a file or directory, the OS must contact the directory server to translate the
owner ID number into a name. If the directory server does not allow anonymous access, a proxy
user must be created to be used to authenticate to the directory server and represent any user
requesting such information.
The /etc/opt/ldapux/acred file is used to represent any administrative user (typically root),
which should have additional permissions in the directory server beyond that of the
non-privileged user. The acred file will store the credentials of a user with permissions to modify
specific attributes (as needed) based on commands that are performed on the OS. Specifically,
the acred credential allows a root user to change any user's nisPublickey and nisPrivate
key attributes. Because the chkey and newkey commands do not prompt for directory user
credentials, the acred file is required to allow the administrator to reset such attributes. The
acred file is also used by the ldapugadd, ldapugmod, ldapugdel and ldaphostmgr
commands. However, those utilities have the ability to prompt for credentials or to obtain them
with other methods. So the acred file is not required. Because a privileged credential is stored
in the acred file, creation of the acred file is recommended only for managing NIS keys in the
directory server, and only if key reset is required. In addition, access to the acred file must be
restricted.
7.2.6.1 Syntax
ldap_proxy_config [options]
where options can be any of the following:
-A
Action applies to the Admin Proxy user. This option must be specified with other
option to apply the operation for the Admin Proxy user.
-e erases the currently configured proxy user from the file /etc/opt/ldapux/
pcred. Has no effect on the proxy user information in the directory itself.
-i uses the -i option to configure the proxy user interactively from stdin. Use -A
-ioptions to configure an Admin Proxy user.
If you use ldap_proxy_config -i to configure the proxy user using the simple
authentication, type the command with -i then press Return. Next type the proxy
user DN then press Return. Finally type the proxy user's credential or password
and press Return.
If you configure the proxy user using the SASL DIGEST-MD5 with DN
authentication (i.e. use the DN to generate the DIGEST-MD5 hash), type the
command with -i then press Return. Next type the proxy user DN then press
Return. Next type the proxy user's credential or password and press Return.
Finally press Return.
If you configure the proxy user using the SASL/DIGEST-MD5 with UID
authentication (i.e. use the UID attribute to generate the DIGEST-MD5 hash),
type the command with -i then press Return. Next type the proxy user DN then
press Return. Next type the proxy user's credential or password and press Return.
Finally type the proxy user's UID and press Return.
216 Command and tool reference