LDAP-UX Client Services B.05.00 Administrator's Guide
• Owners access control rights: LDAP-UX 5.0 simplifies demarcating ownership of items in
the directory server. Owners are considered any users or members of a group that have a
DN in the owner attribute of the target entry. Currently, only one type of owner exists:
owners of hosts. The rights of these owners are granted with the following ACI:
dn: ou=Hosts,dc=mydomain,dc=example,dc=com
aci: (targetattr = "sshPublicKey || ipHostNumber")(version 3.0;acl "[OWNER:ALL
:HOSTOWNERATTRS]: Allow owner modification of host information";allow (all)
userattr = "owner#USERDN";)
Based on this ACI, an owner of a host may change a host’s IP address or sshPublicKey.
Modifications for other attributes would require that of a Host or Domain Administrator.
• Self (user) access control rights: To enable users to change their own passwords, some rights
must be granted to every user. These rights are granted through the following self-modify
ACI:
dn: dc=mydomain,dc=example,dc=com
aci: (targetattr="carLicense || preferredLanguage || nisSecretKey || nisPublic
Key || sshPublicKey || userCertificate || userPassword || userSMIMECertific
ate || facsimileTelephoneNumber || homePhone || homePostalAddress || mobile
|| pager")(version 3.0; acl "[SELF:WRITE:SELFWRITEATTRS] Enable self write f
or common attributes"; allow (write) userdn="ldap:///self";)
As shown in this example, additional attributes (besides the user password) may be specified
to give users control of the associated entities, such as the car license (carLicense), preferred
language (preferredLangage), and so forth.
2.3.2.3.3 SSL/TLS and CA/server certificates
To assure the integrity of data that the directory server delivers to the HP-UX client, some means
must be established to validate the identity of the directory server. In addition, the data must be
protected in transit between the directory server and the HP-UX client. This is especially critical
when the directory server performs authentication for the HP-UX client, as the password of the
account being verified is transmitted to the directory server (when SIMPLE authentication is
used). To validate the identity of the directory server and encrypt data in transit, the guided
installation creates a CA certificate and a server certificate on the HP-UX host where the directory
server instance is created. These certificates serve to automatically enable SSL/TLS on the directory
server.
To simplify distribution of the CA certificate, the guided installation automatically creates a
depot file that can be pre-distributed to other HP-UX clients in the domain before configuring
LDAP-UX on them. This process pre-establishes trust with the directory server. During the
autosetup procedure, you will see a message similar to the following, where
mydomain.example.com is the name of the LDAP-UX domain:
============================================================================
NOTE: A CA certificate for the "mydomain.example.com" domain has been created.
This certificate can be pre-installed on HP-UX clients or included as part
of an HP-UX Ignite image. Installing this CA certificate on host will
pre-establish trust with this directory server. The depot file for this
CA certificate is found at : /tmp/ca-mydomain.example.com.depot
============================================================================
The depot contains one product that, when installed, will install the CA certificate for the
LDAP-UX domain on the host. For each domain, a CA certificate should be created, and the
product created will be named as follows:
# swlist -d -s /tmp/ca-cup.hp.com.depot
# Initializing...
# Contacting target "hpt079"...
#
# Target: hpt079:/tmp/ca-cup.hp.com.depot
#
2.3 Guided installation (autosetup) 35