LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

281

282

283

284

285

286

287

288

289

290

NOTE: To prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and

password cannot be specified as command-line options to the ldaphostlist utility.

7.3.9.6 Errors and Warnings

Upon exit, ldaphostlist returns a 0 (zero) exit status if no errors or warnings were encountered.

If ldaphostlist encounters an error or warning; a nonzero exit status is returned, and one or

more messages are logged to stderr. Messages have the following format:

ERROR: code:

message

WARNING: code:

message

Leading extra white space might be inserted to improve readability and follow 80-column screen

formatting. code is a programmatically parsable error key-string, while message is

human-readable. Refer to the LDAP-UX Client Services Administrator's Guide for a list of possible

error codes generated by the LDAP user and group management tools.

7.3.9.7 External influences

7.3.9.7.1 Environment Variables

The ladpahostlist tool supports the following environment variables:

LDAP_BINDDN

Specifies the DN of a user with sufficient directory server privilege to

discover and enumerate hosts in the LDAP directory server. While this

variable is optional, if LDAP_BINDDN is specified, LDAP_BINDCRED

must also be specified.

LDAP_BINDCRED

Specifies a password or other type of credential used for the user specified

by the LDAP_BINDDN. While this variable is optional, if

LDAP_BINDCRED is specified, LDAP_BINDDN must also be specified.

7.3.9.7.2 LDAP-UX Configuration

If ldaphostlist binds to the directory server using the proxy user’s credential (this can happen

if LDAP-UX is configured to use the proxy user, and credentials were not provided to

ldaphostlist, as described in Binding to the Directory Server), the attributes displayed by

ldaphostlist might be limited. This can occur because ldaphostlist must assume that the

LDAP-UX proxy user has more rights to view data in the directory server than a nonprivileged

user. (For example, assume an administrator configured the cn=Directory Manager as a

proxy user). In this scenario, ldaphostlist will only display the cn, ipHostNumber, and

sshPublicKey attributes, even when the attr list is requested. If LDAP-UX is configured to

use the proxy user, you can indicate to ldaphostlist that the proxy user does not have special

privileges. To do so, modify the proxy_is_restricted parameter in the /etc/opt/ldapux/

ldapclientd.conf file. Setting proxy_is_restricted to 1 allows ldaphostlist to

display any attribute requested in the attr list, if the proxy user is allowed to view that attribute.

7.3.9.8 Security Considerations

To support non-interactive use of the ldaphostlist command, specification of the LDAP

user’s credentials may be required. In non-interactive mode, these credentials are specified in

the LDAP_BINDDN and LDAP_BINDCRED environment variables. To prevent exposure of

these environment variables, they should be unset after use. Note that the shells(4) command

history log may contain copies of the executed commands that show setting of these variables.

Access to a shell’s history file must be protected. Specification of the LDAP user’s credentials on

the command line is not allowed since information about the currently running processes can

be exposed externally from the session. Specifying the -P option allows for interactive prompting

284 Command and tool reference