LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

261

262

263

264

265

266

267

268

269

270

be used to define this policy. The following example shows how anyone listed as an owner of a

host, a Domain Administrator, or host administrator is allowed to modify the sshPublicKey

attribute. This ACI is automatically created if you create a new directory server instance using the

guided installation.

dn: dc=mydomain,dc=example,dc=com

aci: (targetattr = "*")(version 3.0;acl "[DOMAINADMIN:ALL:ALL]: Allow changes

by Domain Administrators";allow (all) (groupdn = "ldap:///cn=DomainAdmins

,ou=Groups,dc=mydomain,dc=example,dc=com");)

dn: ou=Hosts,dc=mydomain,dc=example,dc=com

aci: (targetattr = "sshPublicKey || ipHostNumber") (version 3.0;acl "[OWNER:WR

ITE:HOSTOWNERATTRS]: Allow owner modification of host information";allow (re

ad,compare,search,write,delete,add) userattr = "owner#USERDN";)

aci: (targetattr = "objectclass || cn || dn || owner || host || ipHostNumber |

| ipNetmaskNumber || ipNetworkNumber || ipProtocolNumber || ipServicePort ||

ipServiceProtocol || sshPublicKey || oncRpcNumber || userPassword || userCe

rtificate" )(version 3.0;acl "[HOSTADMIN:READ-WRITE:HOSTATTRS]: Allow change

s to Unixattributes by Host Administrators";allow (all) (groupdn = "ldap:///

cn=HostAdmins,ou=Groups,dc=mydomain,dc=example,dc=com");)

8.2.6 Administrative users

Any user with the right to modify the sshPublicKey attribute for a host is considered an ssh key

administrator. As seen from the rights in the previous example, anyone that is a member of the

DomainAdmins or HostAdmins groups or is listed as the owner (the owner attribute has the

DN of the user), is considered an ssh key administrator. As mentioned previously, to protect the

integrity of the sshPublicKey attribute, this list of users should be restricted to trusted

administrators.

In addition to creating a trusted list of administrators, ldaphostmgr allows for management of

keys not only on the local host, but also on any remote host that is a member of the same LDAP-UX

domain (uses the same LDAP-UX configuration profile). However, for remote administration to

function, the administrators’ accounts must also be assigned POSIX account attributes (this is not

required if remote administration is not desired.)

You can create an administrator that has the rights to manage ssh public keys using the ldapugadd

and ldapugmod utilities, as in Example 13the following example:

Example 13 Creating an administrator that has the rights to manage ssh public keys

1. Create the new account using ldapugadd:

# /opt/ldapux/bin/ldapugadd -P -f "Alice Bobson" abobson Surname=Bobson

# /opt/ldapux/bin/ldapuglist -n abobson

dn: uid=abobson,ou=people,dc=mydomain,dc=example,dc=com

cn: Alice Bobson

uid: abobson

uidNumber: 3840

gidNumber: 20

loginShell: /usr/bin/sh

homeDirectory: /home/abobson

gecos: Alice Bobson

2. Add the user to one of the privileged groups (HostAdmins in this case):

# /opt/ldapux/bin/ldapugmod -P -t group -a abobson HostAdmins

# /opt/ldapux/bin/ldapuglist -t group -n HostAdmins

dn: cn=HostAdmins,ou=Groups,dc=mydomain,dc=example,dc=com

cn: HostAdmins

memberUid: domadmin

memberUid: abobson

If you already have users that are considered administrators, but do not have posixAccount

information attached to their directory server entries, you can use the ldapugmod command to

264 Managing ssh host keys with LDAP-UX (HP directory servers only)