LDAP-UX Client Services B.05.00 Administrator's Guide
This is known as the proxy user. The customized installation requires that you create the proxy
user manually. The guided installation automatically creates an entry in the directory server.
This user (the host entry) is created with a randomly-generated password. The information is
recorded in the /etc/opt/ldapux/pcred file.
2.3.2.3.2 Access control rights
To assure that administration rights are limited to specific individuals, access control instructions
are placed in the directory server to allow for administrator modification, owner modification,
and user self-modification:
• Administration groups access control rights: These allow for three levels of administration.
Three types of administration groups are created to allow management of data in the directory
server:
— UserAdmins allows its members to create, modify, and remove user accounts. This
includes the ability to adjust user attributes, including passwords, account numbers,
and so forth. Members of this group can also manage groups, including creating,
modifying and deleting groups as well as adding and removing group members. The
rights for UserAdmins are granted with the following ACIs:
dn: ou=People,dc=mydomain,dc=example,dc=com
aci: (targetattr = "objectclass || cn || manager || gidNumber || givenName ||
homeDirectory || homePhone || memberUid || memberURL || memberOf || ou || s
n || uid || uidNumber || uniqueMember || userPassword || userCertificate") (
target = "ldap:///ou=People,dc=mydomain,dc=example,dc=com")(version 3.0;acl
"[USERADMIN:ALL:USERATTRS] Allow changes to User attributes by User Administ
rators";allow (all)(groupdn = "ldap:///cn=UserAdmins,ou=Groups,dc=mydomain,d
c=example,dc=com");)
dn: ou=Groups,dc=mydomain,dc=example,dc=com
aci: (targetattr = "cn || objectclass || member || uniqueMember || memberUid |
| gidNumber ")(version 3.0;acl "[USERADMIN:WRITE:USERGROUPATTRS] Allow User
Administrator Rights to modify group membership";allow (write) (groupdn = "l
dap:///cn=UserAdmins,ou=Groups,dc=mydomain,dc=example,dc=com");)
— HostAdmins allows its members to create, modify, and remove host accounts. This
includes the ability to adjust host attributes, including passwords, host names, IP
addresses, and so forth. Members of this group can also manage groups, including
creating, modifying and deleting groups as well as adding and removing members
from these groups. The rights for HostAdmins are granted with the following ACIs:
dn: ou=Groups,dc=mydomain,dc=example,dc=com
aci: (targetattr = "cn || objectclass || member || uniqueMember") (version 3.0
;acl "[HOSTADMIN:WRITE:HOSTGROUPATTRS] Allow Host Administrator Rights to mo
dify group membership";allow (write) (groupdn = "ldap:///cn=HostAdmins,ou=Gr
oups,dc=mydomain,dc=example,dc=com");)
dn: ou=Hosts,dc=mydomain,dc=example,dc=com
aci: (targetattr = "objectclass || cn || owner || host || ipHostNumber || ipNe
tmaskNumber || ipNetworkNumber || ipProtocolNumber || ipServicePort || ipSer
viceProtocol || sshPublicKey || oncRpcNumber || userPassword || userCertific
ate" )(version 3.0;acl "[HOSTADMIN:ALL:HOSTATTRS]: Allow changes to host att
ributes by Host Administrators";allow (all) (groupdn = "ldap:///cn=HostAdmin
s,ou=Groups,dc=mydomain,dc=example,dc=com");)
— DomainAdmins allows its members to have complete control of data managed under
the root suffix of the directory server. In other words, members can manage data used
by the local host's OS and stored in the LDAP-UX domain. More specifically, this is the
data defined by the LDAP-UX configuration profile. Any member of this group is
considered a Domain Administrator. By default, the name of the Domain Administrator
created by the guided installation is domadmin. The rights for DomainAdmins are
granted with the following ACI:
dn: dc=mydomain,dc=example,dc=com
aci: (targetattr = "*")(version 3.0;acl "[DOMAINADMIN:ALL:ALLATTRS]: Allow changes
by Domain Administrators";allow (all) (groupdn = "ldap:///cn=DomainAdmins
,ou=Groups,dc=mydomain,dc=example,dc=com");)
34 Installing and configuring LDAP-UX Client Services