LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

• Information model: Defines the types of objects managed in the directory server and the

attributes and object classes that represent them, as described in Section 2.3.2.2 (page 29).

• Security framework: Defines rights to access and modify data in the DIT, including the

definition of three management groups, the Access Control Instructions (ACIs) that grant

permissions to each group to manage different objects in the DIT, and general access policies

such as which attributes are considered public and private. Details are provided in

Section 2.3.2.3 (page 33).

2.3.2.1 Directory information tree (DIT)

When the guided installation creates a new HP-UX Directory Server instance, it creates the

foundation for a directory information tree, which is a name space that stores the users, groups,

hosts, and configuration in the LDAP-UX domain. This tree can be expanded or altered, as long

as appropriate updates are made to the LDAP-UX configuration profile.

To build the DIT, the guided installation creates the root suffix based on the discovered or

specified DNS domain. The guided installation uses the domain component syntax to define the

root suffix DN, as defined by RFC 2247. Below that, it defines the organizational units to act as

containers for the users, groups, hosts, and configuration, as shown in Figure 2-1 (page 28).

Figure 2-1 Directory information tree (DIT)

dc=example,dc=com

ou=Configuration

ou=Services

ou=Hosts ou=People

ou=Groups

cn=domain-Idapuxprofile

cn=domain CA Certificate

cn=LDAP Server (domain-naster)

cn=UserAdmins

cn=HostAdmins

cn=DomainAdmins

cn=host1

...

uid=domadmin

The subtrees created in the DIT (and shown in Figure 2-1 (page 28)) are:

• ou=People: Stores all users managed in the LDAP-UX domain. Utilities, such as the LDAP

user/group management tools (see Section 7.3 (page 219)) and ldapentry (see Section 7.4.1

(page 292)) can be used to manage users and accounts under this subtree. The ou=People

subtree will be populated with one user, the Domain Administrator. By default, the LDAP-UX

Domain Administrator is named domadmin. The guided Installation allows this name to be

changed.

• ou=Groups: Stores all groups managed in the domain. The LDAP user/group management

tools and ldapentry can also be used to manage these groups. This subtree will be

populated with the initial management groups, cn=UserAdmins, cn=HostAdmins, and

cn=DomainAdmins. Members of these groups will be granted privileges to manage their

related data. For more information about privileges and security in general, see Section 2.3.2.3

(page 33)“Security Framework”.

• ou=Hosts: Registers information about hosts and devices associated with the LDAP-UX

domain. The LDAP host tools ldaphostmgr and ldaphostlist (see Section 7.3 (page 219)),

or ldapentry can be used to manage hosts and devices under this subtree. When the guided

28 Installing and configuring LDAP-UX Client Services