LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
administrator proxy credential file /etc/opt/ldapux/acred. If you are using only anonymous
access, you do not need to use this tool. You must run this tool logged in as root. While the data
stored in the pcred and acred files are protected for root-only access and not stored in plain
text, the data is not encrypted.
The /etc/opt/ldapux/pcred file is used to contain credentials that represent all users of the
HP-UX OS to the directory server. For example, when a user wants to run the ls -l command to
see who owns a file or directory, the OS must contact the directory server to translate the owner
ID number into a name. If the directory server does not allow anonymous access, a proxy user
must be created to be used to authenticate to the directory server and represent any user requesting
such information.
The /etc/opt/ldapux/acred file is used to represent any administrative user (typically root);
this user should have additional permissions in the directory server beyond that of the nonprivileged
user. The acred file will store the credentials of a user with permissions to modify specific attributes
(as needed) based on commands that are performed on the OS. Specifically, the acred credential
allows a root user to change any user's nisPublickey and nisPrivate key attributes. Because
the chkey and newkey commands do not prompt for directory user credentials, the acred file
is required to allow the administrator to reset such attributes. The acred file is also used by the
ldapugadd, ldapugmod, ldapugdel and ldaphostmgr commands. However, those utilities
have the ability to prompt for credentials or to obtain them with other methods. So the acred file
is not required. Because a privileged credential is stored in the acred file, creation of the acred
file is recommended only for managing NIS keys in the directory server, and only if key reset is
required. In addition, access to the acred file must be restricted.
9.2.6.1 Syntax
ldap_proxy_config [options]
where options can be any of the following:
-A Action applies to the Admin Proxy user. This option must be specified with other
option to apply the operation for the Admin Proxy user.
-e erases the currently configured proxy user from the file /etc/opt/ldapux/
pcred. Has no effect on the proxy user information in the directory itself.
-i uses the -i option to configure the proxy user interactively from stdin. Use -A
-ioptions to configure an Admin Proxy user.
If you use ldap_proxy_config -i to configure the proxy user using the simple
authentication, type the command with -i and then press Enter. Next type the
proxy user DN then press Enter. Finally type the proxy user's credential or password
and press Enter.
If you configure the proxy user using the SASL DIGEST-MD5 with DN authentication
(that is, using the DN to generate the DIGEST-MD5 hash), type the command with
-i then press Enter. Next type the proxy user DN then press Enter. Next type the
proxy user's credential or password and press Enter. Finally press Enter.
If you configure the proxy user using the SASL/DIGEST-MD5 with UID authentication
(that is, using the UID attribute to generate the DIGEST-MD5 hash), type the
command with -i then press Enter. Next type the proxy user DN then press Enter.
Next type the proxy user's credential or password and press Enter. Finally type
the proxy user's UID and press Enter.
When you use the ldap_proxy_config -A -i command to configure an
Admin Proxy user interactively from stdin, the configuration procedures are similar
to the procedures used by the ldap_proxy_config -i command for a proxy
user.
When configuring an Admin Proxy user, if you only enter the Admin Proxy user's
DN without password, the root's password will be used instead.
9.2 Client management tools 281