LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
established, remaining directory servers on the host list are not contacted. Once connected,
ldaphostmgr first determines if the environment variables LDAP_BINDDN or LDAP_BINDCRED
were specified. If both are specified, then ldaphostmgr attempts to bind to the directory server
using the specified credentials and configured LDAP-UX authentication method. If the neither of the
previously-mentioned environment variables were specified, then ldaphostmgr determines if the
configured credential type is “proxy” and, if so, attempts to bind to the directory server using the
configured LDAP-UX proxy credential. If configured, the acred proxy credential is used for
administrative users (determined if the user running ldaphostmgr has enough privilege to read
the /etc/opt/ldapux/acred file). An additional requirement when managing a remote host,
is that the specified credential must also have POSIX account attributes specified in his/her directory
server entry. This means that if the acred credentials are used, they too must represent a POSIX
account.
NOTE: To prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and
password cannot be specified as command-line options to the ldaphostmgr utility.
9.3.8.5 Security Considerations
• Use of ldaphostmgr requires permissions of an LDAP administrator when it performs its
operations on the directory server. The rights to create new LDAP directory entries under the
requested subtree, along with creation of the required attributes in that entry must be granted
to the LDAP administrator identity that is specified when executing ldaphostmgr.
• When creating, changing, or validating the host keys of a remote host, ldaphostmgr attempts
to create a session on the remote host using the identity of the user running the ldaphostmgr
commend. This means the specified LDAP identity must have an associated posixAccount
object class. The session to the remote host is established using ssh itself. If the ssh public key
for the remote host is not defined in the directory server or in a local known_hosts file, the
user is prompted before creating a connection to the remote host (since in this condition, it is
possible the remote host is an impostor). Such connections should not be allowed unless the
key fingerprint can be validated.
• If the current user has sufficient privilege to modify the sshPublicKey attribute in a
representative host entry in the directory server, ldaphostmgr allows the current user to
modify the public and private key pairs for the host (local or remote). ldaphostmgr runs as
a setuid program and temporarily elevates its privilege in this situation.
• As would occur in any identity repository, modification of this repository will likely have impacts
as defined by the organization’s security policy. Users of ldaphostmgr are expected to
have full knowledge of the impact to the organization’s security policy when adding, removing,
or modifying host information to that repository.
• To support noninteractive use of the ldaphostmgr command, specification of the LDAP user’s
credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED environment
variables. To prevent exposure of these environment variables, they should be unset after use.
Note that the shells command history log might contain copies of the executed commands
that show the setting of these variables. Access to a shell’s history file must be protected. As
an alternative, the environment variables used by ldaphostmgr may be specified in a file,
using the -E option. Specification of the LDAP administrator’s credentials on the command
line is not allowed, since information about the currently running processes can be exposed
externally from the session. Allowing interactive prompting for these credentials (not specifying
-X) eliminates the need to set the LDAP_BINDDN and LDAP_BINDCRED environment variables.
9.3.8.6 Usage Notes
Under common usage, ldaphostmgr uses the LDAP replace operation when changing values of
an attribute in an entry. This feature might impact attributes that have multiple values, by removing
all occurrences of an attribute value and replacing it with the one specified on the ldaphostmgr
338 Command and tool reference