LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
entityRole: DBSERVER
dn: cn=raptor,ou=Hosts,dc=mydomain,dc=eample,dc=com
cn: raptor
ipHostNumber: 16.92.96.215
objectClass: top
objectClass: device
objectClass: ldapPublicKey
objectClass: iphost
objectClass: domainEntity
owner: uid=domadmin,ou=People,dc=mydomain,dc=eample,dc=com
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxe1...
entityRole: DBSERVER
7.8.7 Managing process access rights (proxy_is_restricted)
If you have configured LDAP-UX to use anonymous access to the directory server, you may skip
this section.
Under specific conditions described in this section, the ldaphostlist utility will not allow the
user to display arbitrary attributes associated with host entries managed in the directory server. If
you try to display an attribute and cannot view it as expected, you can use the -v option to verify
whether this attribute is restricted, as shown in the following example. Assume that a user wanted
to display the owner of a host and gets a warning message like the one shown in the example.
# ldaphostlist -n brewer owner
dn: cn=brewer,ou=Hosts,dc=mydomain,dc=eample,dc=com
cn: brewer
ipHostNumber: 0.0.0.0
# ldaphostlist -v -n brewer owner
WARNING: LST_ATTR_RESTRICTED:
Attribute "owner" is ignored. Access rights to the attribute can not
be determined because proxy access has been defined but
proxy_is_restricted has not been set. Contact your system
administrator.
dn: cn=brewer,ou=Hosts,dc=mydomain,dc=eample,dc=com
cn: brewer
ipHostNumber: 0.0.0.0
This message can occur if LDAP-UX is configured to use a proxy user to access the directory server
data. This is very common in an ADS environment, since by default, the ADS directory server does
not allow anonymous access to data.
If you have installed and configured a previous version of LDAP-UX or did not use the guided
installation (autosetup) to configure LDAP-UX, you would have defined your own proxy user.
Because the ldaphostlist uses this same proxy user to access directory server data,
ldaphostlist needs to know if the proxy user has access to data that a nonprivileged user
should not be allowed to view. For example, if the proxy user was defined as
cn=administrator,cn=user,dc=mydomain,dc=example,dc=com (for a Windows domain)
or cn=Directory Manager (for an HP-UX Directory Server), the proxy user has rights to access
any data in the directory server.
While it would be bad practice to create a proxy user with privileged access rights, normally the
proxy user is only used by ldapclientd, which limits what information it requests from the
directory server. However, because the user can instruct ldaphostlist to view any attribute,
ldaphostlist does not allow users to specify any attribute to be viewed, since these tools do
not know if the proxy user has more privileges than should be granted to the user running the utility.
When a host is configured using the guided installation, an entry representing the host is created;
this entry is also used as the proxy user for the OS. Because his host entry is created without adding
any special privileges, the guided installation sets a special flag (proxy_is_restricted) inside
the /etc/opt/ldapux/ldapclientd.conf file to indicate that the proxy user has been
created without any additional special privileges. This flag is also used by ldaphostlist, to
7.8 Managing hosts in an LDAP-UX domain 241