Manualshelf

LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
81828384858687888990
must re-run the setup program to extend the publickey schema into your LDAP directory. You
do not need to re-run the setup program for the subsequent client systems. For detailed
information on how to run the setup program to extend the publickey schema into an LDAP
directory, see Section 2.4.5.1 (page 69).
2.4.7.3 Admin Proxy user
A special type of proxy user, known as an Admin Proxy has been added to LDAP-UX to support
management of NIS publickey information in an LDAP directory server. The Admin Proxy
represents the HP-UX administrator's rights in the directory server and typically is used to
represent root's privileges extended to the directory server. Only an Admin Proxy user is allowed
to use the newkey tool to add host and user keys into the LDAP directory server, or to use the
chkey tool to modify host keys in the LDAP directory server.
2.4.7.3.1 Configuring an Admin Proxy user by using ldap_proxy_config
You need to use a new ldap_proxy_config tool option-A to configure an Admin Proxy user.
You must specify the -A option along with other options to perform operations applying to an
Admin Proxy user. For example, you can use the ldap_proxy_config -A -i command to
create an Admin Proxy user. See Section 7.2.6 (page 216) for details.
2.4.7.3.2 Password for an Admin Proxy user
To protect user secret keys in the LDAP directory, the secret keys are encrypted using the user's
password. This process is used in NIS as well as NIS+ environments. The host's secret key must
also be encrypted. Since the host itself does not have its own password, root's password is used
to encrypt the host's secret key. The chkey or newkey command prompts for root's password
when changing or adding a key for a host. For this reason, you may wish to configure the Admin
Proxy user in the LDAP directory to have the same password as the root user on the master host.
Although it is not required that the Admin Proxy user and root user share the same password,
it allows you to avoid storing the Admin Proxy user's password in the administrator's credential
file /etc/opt/ldapux/acred (this file as well as the pcred file are not encrypted). In this
case, when you run the ldap_proxy_config -A -i command to configure the Admin Proxy
user, you enter only Admin Proxy user's DN without the password. LDAP-UX will use the root's
password given to the chkey and newkey commands as the Admin Proxy user's password to
perform public key operations. However, the ldap_proxy_config -A -v command will not
be able to validate the Admin Proxy user because no password is available to
ldap_proxy_config. As a result, the message No password is provided. Validation
is not performed" will be displayed.
2.4.7.4 Setting ACI for key management
Before storing public keys in an LDAP server, LDAP administrators may wish to update their
LDAP access controls such that users can manage their own keys, and the Admin Proxy user
can manage host keys. This section describes how you set up access control instructions (ACI)
for an Admin Proxy user or a user.
2.4.7.4.1 Setting ACI for an Admin Proxy user
With the HP-UX Directory Server, you can use the Directory Server Console or the ldapmodify
command to set up an ACI, which gives an Admin Proxy user permissions to manage host and
user keys in the LDAP directory.
An Example
The following ACI gives the permissions for the Admin Proxy user uid=keyadmin to read,
write, and compare nissecretkey and nispublickey attributes for hosts and users:
dn:dc=org,dc=hp,dc=com
2.4 Customized installation (setup) 85