LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

261

262

263

264

265

266

267

268

269

270

extend their accounts with POSIX attributes. The following example shows how to extend

posixAccount attributes to an existing user:

Example 14 Extending administrator accounts with posixAttributes

1. Identify the account to extend:

# /opt/ldapux/bin/ldapuglist -F "(cn=bob alison)" \*

dn: cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com

cn: Bob Alison

gecos: Bob Alison,+1-303-555-5432

2. Add posixAccount attributes using the -O option of ldapugmod:

# /opt/ldapux/bin/ldapugmod -P -O -n balison -u 1234 -g users -d /home/balison \

-s /usr/bin/sh -D "cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com"

# /opt/ldapux/bin/ldapuglist -n balison \*

dn: cn=Bob Alison,ou=people,dc=mydomain,dc=example,dc=com

cn: Bob Alison

uid: balison

uidNumber: 1234

gidNumber: 20

loginShell: /usr/bin/sh

homeDirectory: /home/balison

gecos: Bob Alison,+1-303-555-5432

If Bob Alison is not already a member of a privileged group, then you can add him as a member

of the Host Administrators group, using a similar command as in the previous example:

/opt/ldapux/bin/ldapugmod -t group -P -a balison HostAdmins

NOTE: In the previous examples, the HostAdmins group is a posixGroup. By default, the

ldapugmod tool only works with posixGroups. However, you can still use ldapugmod to modify

non-posixGroups if your LDAP-UX profile specifies LDAP-style attribute mapping for LDAP-style

groups, and you use the -D option to specify the full DN of the group you want to manage.

If you use groupOfUniqueNames for your LDAP-style groups, then your attribute mapping for group

membership as defined in the LDAP-UX configuration profile should be:

attributemap: group:memberUid=uniqueMember member memberUid

If you use groupOfNames for your LDAP-style groups, then your attribute mapping for group

membership as defined in the LDAP-UX configuration profile should be:

attributemap: group:memberUid=member uniqueMember memberUid

To modify a non-posixGroup, you must use the -D option when specifying the group to modify.

For example, assume in the following that cn=Host Administrators is a groupOfNames, but

not a posixGroup. It is possible to add balison as a member using the previously-described

attributeMap and the following command:

/opt/ldapux/bin/ldapugmod -t group -P -a balison \

-D "cn=Host Administrators,ou=Groups,dc=mydomain,dc=example,dc=com"

8.3 Managing keys in the directory server

If you have not yet set up a directory server to manage your host information, you can use the

LDAP-UX guided installation (autosetup) to create a new directory server and configure LDAP-UX

to manage hosts in that directory server. The guided installation sets up an environment that meets

the host repository requirements described in the previous section.

After you establish a repository and security framework for your host information, as described in

the previous section, you can begin to manage those hosts. The remainder of this section describes

how to properly configure HP-UX hosts to use the central repository for ssh keys and how to manage

the hosts and their keys.

8.3 Managing keys in the directory server 265