LDAP-UX Client Services B.05.00 Administrator's Guide
2.4.4 Configuring your directory
This section describes how to configure your directory to work with LDAP-UX Client Services.
Examples are given for the HP-UX Directory Server. For information about supported directories,
see the LDAP-UX Integration Release Notes . If you have a different directory, see the documentation
for your directory for details on how to configure it.
For more information, see Preparing Your LDAP Directory for HP-UX Integration at:
http://www.hp.com/go/hpux-security-docs
Click HP-UX LDAP-UX Integration Software.
1. Install the posix schema (RFC 2307) into your directory.
With most directory servers, the posix schema is already installed. However, if you need to
install this schema, you may use the /opt/ldapux/bin/ldapschema tool to install the
/etc/opt/ldapux/schema/rfc2307.xml schema file.
For information on the posix schema (RFC 2307), see the following website:
http://www.ietf.org/rfc.html
RFC 2307 consists of object classes such as: posixAccount, posixGroup, shadowAccount
(deprecated), etc. posixAccount represents a user entry from /etc/passwd. posixGroup
represents a group entry from /etc/group.
2. Restrict write access to certain passwd (posixAccount) attributes of the posix schema.
CAUTION: Make sure you restrict access to the attributes listed below. Allowing users to
change them could be a security risk
Grant write access of the uidnumber, gidnumber, homedirectory, and uid attributes
only to directory administrators; disallow write access by all other users. You may want to
restrict write access to other attributes in the passwd (posixAccount) entry as well.
With HP-UX Directory Server, you can use the Directory Server Console or ldapmodify
to set up access control instructions (ACI) so ordinary users cannot change these attributes
in their passwd entry in the directory.
The following access control instruction is by default at the top of the directory tree for an
HP-UX Directory Server (version 8.1). This ACI allows a user to change any attribute in their
passwd entry:
aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification";
allow (write)userdn = "ldap:///self";)
You could modify this example ACI to the following, which prevents ordinary users from
changing their uidnumber, gidnumber, homedirectory, and uid attributes:
aci: (targetattr != "uidnumber || gidnumber || homedirectory || uid") (version
3.0; acl "Allow self entry modification, except for important posix attributes";
allow (write)userdn = "ldap:///self";)
You may have other attributes you need to protect as well.
To change an ACI with the Directory Server Console, select the Directory tab, select your
directory suffix in the left-hand panel, then select the Object→Set Access Permissions
menu item. In the dialog box, select the "Allow self entry modification" ACI and click OK.
Use the Set Access Permissions dialog box to modify the ACI. For details, see the HP-UX
Directory Server administrator guide.
3. Restrict write access to certain group (posixGroup) attributes of the posix schema.
Grant write access of the cn, memberuid, gidnumber, and userPassword attributes only to
directory administrators; disallow write access by all other users.
With the HP-UX Directory Server, you can use the Directory Server Console or ldapmodify
to set up access control lists (ACL) so ordinary users cannot change these attributes in the
posixGroup entry in the directory. For example, the following ACI, placed in the directory
2.4 Customized installation (setup) 65