LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
configured credential type is “proxy” and, if so, attempts to bind to the directory server using the
configured LDAP-UX proxy credential. If configured, the acred proxy credential is used for
administrative users (determined if the user running ldaphostlist has enough privilege to read
the /etc/opt/ldapux/acred file). Otherwise, the credential configured in /etc/opt/ldapux/
pcred is used. If the proxy credential is not configured and the -P option has not been specified,
ldaphostlist connects anonymously.
NOTE: To prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and
password cannot be specified as command-line options to the ldaphostlist utility.
9.3.9.6 Errors and Warnings
Upon exit, ldaphostlist returns a 0 (zero) exit status if no errors or warnings were encountered.
If ldaphostlist encounters an error or warning; a nonzero exit status is returned, and one or
more messages are logged to stderr. Messages have the following format:
ERROR: code:
message
or
WARNING: code:
message
Leading extra white space might be inserted to improve readability and follow 80-column screen
formatting. code is a programmatically parsable error key-string, while message is
human-readable. For a list of possible error codes generated by the LDAP user and group
management tools, see Section 9.3.3 (page 285). In addition, see specific return codes for each
of the tools that manage users and groups.
9.3.9.7 External influences
9.3.9.7.1 Environment Variables
The ladpahostlist tool supports the following environment variables:
LDAP_BINDDN Specifies the DN of a user with sufficient directory server privilege to discover
and enumerate hosts in the LDAP directory server. While this variable is
optional, if LDAP_BINDDN is specified, LDAP_BINDCRED must also be
specified.
LDAP_BINDCRED Specifies a password or other type of credential used for the user specified
by the LDAP_BINDDN. While this variable is optional, if LDAP_BINDCRED
is specified, LDAP_BINDDN must also be specified.
9.3.9.7.2 LDAP-UX Configuration
If ldaphostlist binds to the directory server using the proxy user’s credential (this can happen
if LDAP-UX is configured to use the proxy user, and credentials were not provided to
ldaphostlist, as described in Section 9.3.9.5 (page 346)), the attributes displayed by
ldaphostlist might be limited. This can occur because ldaphostlist must assume that the
LDAP-UX proxy user has more rights to view data in the directory server than a nonprivileged user.
(For example, assume an administrator configured the cn=Directory Manager as a proxy
user). In this scenario, ldaphostlist will only display the cn, ipHostNumber, and
sshPublicKey attributes, even when the attr list is requested. If LDAP-UX is configured to use
the proxy user, you can indicate to ldaphostlist that the proxy user does not have special
privileges. To do so, modify the proxy_is_restricted parameter in the /etc/opt/ldapux/
ldapclientd.conf file. Setting proxy_is_restricted to 1 allows ldaphostlist to
display any attribute requested in the attr list, if the proxy user is allowed to view that attribute.
9.3 LDAP user and group management tools 347