LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
If you did not configure LDAP-UX on the current host using the guided installation, you might not
have an entry in the directory server that represents the current host. In that case, you can add the
host using the -a option of the ldaphostmgr command as follows:
brewer(): id
uid=8507(domadmin) gid=220(ldap) groups=88(DomainAdmins)
brewer(): ldaphostmgr -a -f -k rsa "$(hostname)"
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
brewer(): ldaphostlist -k -n "$(hostname)"
dn: cn=brewer,ou=Hosts,dc=mydomain,dc=example,dc=com
cn: brewer
cn: brewer.mydomain.example.com
ipHostNumber: 16.92.96.225
sshPublicKey: ssh-rsa AAAA...== BEGIN-KM creationtime=20100423234903Z END-KM
In this example, the -a option is used to indicate that the host should be added as a new entry to
the directory server. The -f option indicates that the fully qualified domain name should be added.
And the -k option indicates the RSA (protocol version 2) key should be added. Other key types
can be used. The -k option also accepts rsa1, dsa, and the all key-type, which means
add/modify all three key types.
NOTE: Whenever you add a new host to the directory server that will contain sshPublicKeys,
you must use the -f option to add the fully qualified domain name (FQDN) for the host, if the
FQDN has not been set. The ssh toolset uses network naming services (typically DNS) to determine
the host name of IP addresses for hosts. In so doing, it resolves to a fully qualified domain name,
which ssh needs to validate in the directory server. Notice that in the previous example, you can
see the cn attribute listed twice, once with the short name and once with the FQDN.
The ldaphostmgr and ldaphostlist tools provide a smoother user interface for entering user
credentials when used by accounts that have posixAccounts managed in the directory server. For
the purposes of this demonstration, the domadmin user is used, which is created by default when
a new directory server instance is created using the guided installation.
When ldaphostmgr is used to add a new host, it determines the location to add the host using
the LDAP-UX configuration profile. By default, when using a guided installation, this location is
ou=Hosts,defaultBaseDN. You can use the ldapcfinfo command to determine the location
that ldaphostmgr will use:
# /opt/ldapux/bin/ldapcfinfo -t hosts -b
ou=Hosts,dc=mydomain,dc=example,dc=com
See Section 8.2.2 (page 262) for additional information. If you want to place the host in a different
location of the directory server tree, you can use the -B option.
While ldaphostmgr can be used to add the current ssh public keys of the local host, it is also
possible to add keys of other remote HP-UX hosts managed by LDAP-UX that are in the current
LDAP-UX domain. Just specify the name of the remote host; however, if ldaphostmgr has no way
to identify the remote host, it displays an ssh-like warning message to indicate this:
chef (): ldaphostmgr -a -f -k rsa baker
bind-dn [uid=domadmin,ou=People,dc=mydomain,dc=example,dc=com]:
Password:
WARNING: The identity of the host "baker" could not be verified.
SSH key fingerprint: b4:2f:45:c2:b0:17:a2:7b:a0:a7:88:61:a9:36:f2:4c.
The SSH key for the remote host is unknown. This host's key is currently not
managed in the directory server and should be positively identified before
adding this key to the directory server. Once added, this key will be
trusted by all other LDAP-enabled ssh clients. Using ldaphostmgr on the
remote host, instead of adding this key remotely, will avoid generating
this warning message. Do you wish to trust this key (y/n)?: n
ERROR: HST_UNTRUSTED_REMOTE_HOST:
The identity of the host "baker" could not be verified. SSH key
8.3 Managing keys in the directory server 267