LDAP-UX Client Services B.05.00 Administrator's Guide
at ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify
entries below ou=groups,ou=unix,o=hp.com:
aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators,
o=hp.com");)
4. Grant read access of all attributes of the posix schema.
Ensure all users have read access to the posix attributes.
When using PAM_LDAP as your authentication method, users do not need read access to
the userPassword attribute since the authentication is handled by the directory itself.
Therefore, for better security, you can remove read access to userPassword from ordinary
users.
5. Configure anonymous access, if needed. If you do not configure a proxy user, then the
attributes of your name service data must be readable anonymously.
6. Create a proxy user in the directory, if needed.
To create a proxy user with the HP-UX Directory Server, go to the the directory server's
main Console, select the Users and Groups tab, and then click on the Create button. For
example, you might create a user uid=proxyuser,ou=Special Users,o=hp.com.
7. Set access permissions for the proxy user, if configured.
Give the proxy user created above read permission for the posix account attributes.
With HP-UX Directory Server, for example, the following ACI gives a proxy user permission
to compare, read, and search all posix account attributes except the userPassword attribute:
aci: (target="ldap:///o=hp.com")(targetattr!="userpassword")
version 3.0; acl "Proxy userpassword read rights";
allow (compare,read,search)
userdn = "ldap:///uid=proxyuser,ou=Special Users,o=hp.com";)
8. The default ACI of Netscape Directory Server 6.11 allows a user to change his own common
attributes. But, for Netscape Directory Server 6.21 or later, you need to set ACI that gives a
user permission to change his own common attributes. By default, the Netscape Directory
Server 6.21 or later provides the following ACI named Enable self write for common
attributes that gives a user permission to change his own common attributes:
aci: (targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox
||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street
||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword
||userSMIMECertificate ||x500UniqueIdentifier")
(version 3.0; acl "Enable self write for common attributes"; allow (write)
(userdn = "ldap:///self"))
You can modify the default ACI and give appropriate access rights to change your own
common attributes.
9. Index important attributes for better performance of Directory Server.
Since many of your directory requests will be for the attributes listed below, you should
index these to improve performance. If you don't index, your directory may search
sequentially causing a performance bottleneck. As a rule of thumb, databases containing
more than 100 entries should be indexed by their key attributes.
The following attributes are recommended for indexing:
• cn
• objectclass
• memberuid
• uidnumber
66 Installing and configuring LDAP-UX Client Services