LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

341

342

343

344

345

346

347

348

349

350

— ldaphostlist

Use the ldaphostlist tool to display and enumerate host entries that reside in an

LDAP-based directory server. Although ldaphostlist provides output similar to

the ldapsearch command, it satisfies a few specific feature requirements that allow

applications to discover and evaluate hosts stored in an LDAP directory server without

requiring intimate knowledge of the methods used to retrieve and evaluate that

information in the LDAP directory server. In addition, ldaphostlist can be used to

discover expiration information about ssh host keys if that information is managed in

the directory server.

For detailed information about tool usage, syntax, options, environment variables and return

codes supported by these tools, refer to the LDAP-UX Client Services B.05.00 Administrator's

Guide or manpages ldaphostmgr(1M) and ldaphostlist(1M).

• The ignore option for PAM_LDAP support

If PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a

typical configuration in the Trusted Mode Environment), then when you lose access to your

directory server, you will have trouble accessing the system unless a set of so-called “recovery

users” is configured in the /etc/pam_user.conf file. This release supports the ignore

option for PAM_LDAP, which enables PAM_LDAP to be completely disregarded for specific

local users.

To enable this feature, you must set the ignore option for PAM_LDAP in the

pam_user.conf file for per-user configuration. When you use this option for PAM_LDAP,

PAM returns PAM_IGNORE. For detailed information on how to configure and use this

feature, refer to the LDAP-UX Client Services B.05.00 Administrator's Guide.

• proxy_is_restricted and allowed_attribute flags added to configuration file

The proxy_is_restricted and allowed_attribute flags are added to the [general]

section of the configuration file, ldapclientd.conf:

— proxy_is_restricted=yes|no

If the proxy user is configured in the LDAP-UX profile and defined in

/etc/opt/ldapux/pcred, this flag attests that the proxy user does not hold privileged

LDAP credentials, meaning the proxy user is restricted in its rights to access "private"

information in the directory server.

— allowed_attribute=service:attribute

Some applications, like /opt/ssh/bin/ssh, use ldapclientd to access information

in the directory server, such as the sshPublicKey for users and hosts. By setting

allowed_attribute, applications can access any defined attribute even if the

proxy_is_restricted value is set to no(the default).

These configuration parameters are required to help the ldaphostlist and ldapuglist

tools determine if it is OK for them to display arbitrary attributes. If you used autosetup to

configure LDAP-UX, these values are automatically set. If you have an existing installation

or use the custom install setup program, and are also using a proxy user, you should update

these values.

10.3 Related information

You can download the latest version of this document from the following website:

http://www.hp.com/go/hpux-security-docs

Click HP-UX LDAP-UX Integration Software.

10.3 Related information 345