LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

Table 4 New object classes
Description and useAttribute name
Contains attributes that describe configurable service objects. It typically extends
the iPService object class.
networkService
An object class used to classify objects being managed, such as users, hosts,
etc.
domainEntity
A subset of the networkService object class, it is used to indicate that at least
some services provided by the object can be centrally configured.
configurableService
An auxiliary object class that indicates the object has an associated ssh public
key.
ldapPublicKey
The general intent of the object classes and attributes described by the schema is to provide a way
to help group and classify objects within an organization. For example, suppose an organization
wants to register printers in the directory server, and the organization has a policy that “Top Secret”
documents may only be printed on a restricted set of printers. The organization could have all
printers that are eligible for printing “Top Secret” documents created with the
entitySecurityLevel attribute value set to “Top Secret”. The conventions used with the
attributes in the preceding table, such as defining acceptable value sets, are entirely up to the
policies of the organization. The “Top Secret” printer is just one example of such a convention.
While the usage of the schema as defined in this section is entirely optional and up to the
organization, when classifying objects, organizations should consider standardizing key strings.
For example, a limited set of key strings should be defined for an object’s role, enabling the use
of LDAP search filters to easily identify all objects of the same role. For information about how to
use the schema for identifying classes of systems, see Section 7.8.6 (page 240).
Most of the attributes described in Table 3 (page 36) are multi-valued. For example, you can define
more than one role for an object by specifying the entityRole attribute with multiple values.
For more information about the schema described in this section, see the /etc/opt/ldapux/
schema/ldapux50.xml and /etc/opt/ldapux/schema/ssh_schema.xml files.
2.3.2.3 Security framework
When a new directory server instance is created, the guided installation defines a simple access
control framework that provides basic protection for data stored in that directory server.
In most directory server deployments, the general policy is to manage public data while maintaining
high data integrity. The guided installation creates access control instructions that instantiate such
a policy. Most attributes in the directory server are considered public to the organization in which
it is deployed. The guided installation establishes controls such that those attributes can be managed
by a limited (privileged) set of individuals. There are exceptions to this policy. For example, the
user’s password (stored in the userPassword attribute) is private. Another exception is that, to
protect data integrity, most attributes are modifiable only by a limited set of privileged administrators.
However, some attributes may be modified by users themselves. For example, a user may modify
his own userPassword.
Because the base access policy assumes most information is public, at least within the organization,
HP recommends that this access control policy be reviewed before you store private or confidential
data in the directory server. You can modify the ACIs to suit your organization's unique privacy
and integrity requirements. A review of the ACIs created by the guided installation are described
in the following subsections. For more specific information about the access control instructions
and how to modify them, see the HP-UX Directory Server administrator guide.
2.3.2.3.1 Proxy users
One of the primary principles of the base security policy is that, although most information is
considered public, the scope of users considered public is limited to those who can authenticate
2.3 Guided installation (autosetup) for an HP directory server environment 37