LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
keys of the host found in the directory server match that specified
in the /etc/opt/ssh/*.pub files.
Note that if a -k option is specified and the host being managed
is remote, a remote login to that host is required and performed by
ldaphostmgr to modify the remote keys. This means that when
the LDAP credentials are specified (through the prompt or
LDAP_BINDDN), they must also represent a POSIX account, such
that a remote login to that host can be performed by ldaphostmgr
using that identity.
The -k option is not supported with ADS.
-e days-to-expire To keep track of when keys were originally generated,
ldaphostmgr adds a unique management-string to the
comment field of the public key. The management-string begins
with BEGIN-KM and ends with END-KM. This field is an extensible
attribute/value array, which contains at least the creationtime
attribute, which identifies when the key was created. In addition,
when the -e option is specified, the expirationtime attribute
can also be added. Discovery of hosts with expired keys can be
performed with the -k option of the ldaphostlist command.
Combined use of ldaphostlist and ldaphostmgr can be used
to keep expired keys up-to-date. See the -k option for additional
information
-i ipaddr Adds the specified IP Address to the host entry, in the
ipHostNumber attribute (or mapped attribute). The ipaddr can
be either an IPv4 or IPv6 style address. IPv6 style addresses are
normalized to match the format recommended by the RFC2307-bis
IETF draft. If ! is specified at the beginning of the ipaddr, the
specified IP address is removed instead. If ! is specified, but no IP
address is specified, then all values specified in the ipHostNumber
attribute are removed and replaced with the value 0.0.0.0.
Because the ipHost object class is critical for distinguishing host
entries in an LDAP directory server, by default ldaphostmgr adds
the ipHost object class and the ipHostNumber attribute, using
the discovered IP Address for the host.
NOTE: If ! is specified to remove a specific IP address, and you
remove the last IP address associated with the host, ldaphostmgr
also removes the ipHost object class. This could prevent the host
from appearing in LDAP-UX (depending on the hosts service
descriptor search filter in the LDAP-UX profile.) If you want to
maintain the object classification of the ipHost, use ! by itself, to
replace it with a 0.0.0.0.
-r role Specifies an organizational role for this host. Role is a free-format
key-string that will be assigned to the entityRole attribute. The
value specified in role replaces all values for the entityRole
attribute. The -r option may be specified more than once if more
than one role applies to the host. Organizations should consider
standardizing role key-strings, such that they can be used in LDAP
search filters to discover and manage classes of systems.
If ! is specified at the beginning of the role, the specified role is
removed instead. If ! is specified, but no role is specified, then all
values specified in the entityRole attribute are removed. Note:
9.3 LDAP user and group management tools 335