LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

331

332

333

334

335

336

337

338

339

340

Figure 8-3 Sample passwd command wrapper

#!/usr/bin/ksh

# You can put a default master LDAP server host name

# here. Otherwise the local host is the default.

#LDAP_MASTER="masterHostName"

if [[ "$1" != "" ]]

then

LDAP_MASTER="$1"

if [[ "$LDAP_MASTER" = "" ]]

then

eval "$(sed -e "1,/Service: NSS/d" /etc/opt/ldapux/ldapux_client.conf | \

grep "^LDAP_HOSTPORT")"

LDAP_MASTER="$(echo $LDAP_HOSTPORT | cut -d" " -f 1)"

LDAP_BASEDN="$(grep -i "^defaultsearchbase:" \

/etc/opt/ldapux/ldapux_profile.ldif | cut -d" " -f 2-99)"

/opt/ldapux/bin/ldappasswd -b "$LDAP_BASEDN" -h $LDAP_MASTER

Alternatively, your users can use a simple LDAP gateway through a web browser connected to

the directory to change their password. The advantage to this method is that your users can also

change their other personal information as described below.

8.2 Modifying personal information

On HP-UX, users change their personal information (sometimes called "gecos" information) such

as full name, phone number, and location with the chfn command which changes /etc/passwd.

HP-UX users change their login shell with the chsh(1) command, which also changes /etc/passwd.

Because of authentication and access permission requirements, these commands do not directly

support LDAP-managed data..

If directory server access control permissions alIow, users can instead use the ldapugmod

command to change some of their own attributes. You may need to grant users permissions to

modify their own attributes. Directory server vendors may use unique methods for granting

access control rights. For HP-UX Directory Server, you can review the default self-write rights

granted to users in Section 2.3.2.3.2 (page 34). However, before you grant additional rights, be

aware of the security impact. For example, if you allow a user to modify his own entityRole

attribute, and that attribute is used to define access rights, then you may be granting unintentional

access rights. In addition, if you want users to be able to change their own login shell, you could

grant self-write permissions to the loginShell attribute. However, when you grant rights to

modify the loginShell attribute, users would be able to change it to any value, meaning they

can modify any program. The chsh command limits what valid shells may be used on a host.

But users would be able to bypass this restriction if they are granted self-write rights to the

loginShell attribute.

Also, if you have the HP-UX Directory Server, in addition to being able to use the ldapugmod

tool, you can use the Directory Server Console or the ldapmodify command to change personal

information.

336 User tasks