LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

241

242

243

244

245

246

247

248

249

250

determine if it is safe to request arbitrary attributes from the directory server. ldaphostlist

assumes that the directory server has defined proper access control limits such that confidential or

private information cannot be viewed by the proxy user. The [general] section of the client

daemon configuration file (ldapclientd.conf) controls this behavior:

...

# If proxy_is_restricted is set to 1, then you are attesting that the

# directory server is restricting access to private or other confidential

# information from access by the proxy user.

proxy_is_restricted=1

# Allows the ldapclientd interface to return attributes that are associated

# with RFC2307-based services (such as users and groups), but that those

# attributes are not specifically part of the RFC2307 schema. Any attribute

# specified below should be considered public information.

allowed_attribute=hosts:sshPublicKey

allowed_attribute=passwd:sshPublicKey

Setting proxy_is_restricted to 1 means that ldaphostlist will not restrict the user from

displaying any attribute (the directory server might still deny access if access control instructions

exist to limit what is visible to the proxy user.)

Only set proxy_is_restricted to 1 if you can verify that your proxy user defined in /etc/

opt/ldapux/pcred does not have rights to access data in the directory server beyond that of

any nonprivileged user. To identify what account is defined as the proxy user, use the

ldap_proxy_config utility as follows, and then examine the directory server’s access control

settings to verify this account’s privileges:

# /opt/ldapux/config/ldap_proxy_config -p

PROXY DN: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com

7.9 Managing proxy users

This section explains administrative functions pertaining to proxy users.

7.9.1 Displaying the proxy user's DN

You can display the proxy user's distinguished name by using the

/opt/ldapux/config/ldap_proxy_config -p command.

The following command example shows how to use this command to display the current proxy

user and includes the command output seen using an HP directory server:

cd /opt/ldapux/config

./ldap_proxy_config -p

PROXY DN: uid=proxy,ou=people,o=hp.com

The output from the command as seen when using Windows ADS might be as follows:

PROXY DN: CN=Proxy User, CN=Users, DC=cup, DC=hp, DC=com

7.9.2 Verifying the proxy user

The proxy user information is stored in the file /etc/opt/ldapux/pcred. You can verify that

the proxy user can authenticate to the directory by running

/opt/ldapux/config/ldap_proxy_config -v as follows. In this example, the output verifies

that the proxy user can authenticate to the directory.

cd /opt/ldapux/config

./ldap_proxy_config -v

File Credentials verified - valid

7.9.3 Creating a new proxy user

If you need to create a new proxy user and change your client systems to use the new proxy user,

use the following steps:

242 Administering LDAP-UX Client Services