LDAP-UX Client Services B.05.00 Administrator's Guide
configured LDAP-UX authentication method. If the neither of the above mentioned environment
variables were specified, then ldaphostmgr determines if the configured credential type is
“proxy” and, if so, attempts to bind to the directory server using the configured LDAP-UX proxy
credential. If configured, the acred proxy credential is used for administrative users (determined
if the user running ldaphostmgr has enough privilege to read the /etc/opt/ldapux/acred
file). An additional requirement when managing a remote host, is that the specified credential
must also have POSIX account attributes specified in his/her directory server entry. This means
that if the acred credentials are used, they too must represent a POSIX account.
NOTE: To prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and
password cannot be specified as command-line options to the ldaphostmgr utility.
7.3.8.5 Security Considerations
• Use of ldaphostmgr requires permissions of an LDAP administrator when it performs its
operations on the directory server. The rights to create new LDAP directory entries under
the requested subtree, along with creation of the required attributes in that entry must be
granted to the LDAP administrator identity that is specified when executing ldaphostmgr.
• When creating, changing, or validating the host keys of a remote host, ldaphostmgr
attempts to create a session on the remote host using the identity of the user running the
ldaphostmgr commend. This means the specified LDAP identity must have an associated
posixAccount object class. The session to the remote host is established using ssh itself. If
the ssh public key for the remote host is not defined in the directory server or in a local
known_hosts file, the user is prompted before creating a connection to the remote host
(since in this condition, it is possible the remote host is an impostor). Such connections should
not be allowed unless the key fingerprint can be validated.
• If the current user has sufficient privilege to modify the sshPublicKey attribute in a
representative host entry in the directory server, ldaphostmgr allows the current user to
modify the public and private key pairs for the host (local or remote). ldaphostmgr runs
as a setuid program and temporarially elevates its privilege in this situation.
• As would occur in any identity repository, modification of this repository will likely have
impacts as defined by the organization’s security policy. Users of ldaphostmgr are expected
to have full knowledge of the impact to the organization’s security policy when adding,
removing, or modifying host information to that repository.
• To support non-interactive use of the ldaphostmgr command, specification of the LDAP
user’s credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED
environment variables. To prevent exposure of these environment variables, they should
be unset after use. Note that the shells(4) command history log may contain copies of the
executed commands that show the setting of these variables. Access to a shell’s history file
must be protected. As an alternative, the environment variables used by ldaphostmgr can
be specified in a file, using the -E option. Specification of the LDAP administrator’s
credentials on the command line is not allowed, since information about the currently
running processes can be exposed externally from the session. Allowing interactive prompting
for these credentials (not specifying -X) eliminates the need to set the LDAP_BINDDN and
LDAP_BINDCRED environment variables.
7.3.8.6 Usage Notes
Under common usage, ldaphostmgr uses the LDAP replace operation when changing values
of an attribute in an entry. This feature can impact attributes that have multiple values, by
removing all occurrences of an attribute value and replacing it with the one specified on the
ldaphostmgr command line. For example, if the -c argument is used to specify a new description
for a host, all occurances of the description attribute are replaced by the value specified for
the -c argument. This mode of operation applies to the -I command argument as well.
7.3 LDAP user and group management tools 275