LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
to the directory server. This means that information managed in the directory server subtree is
visible only to users who can bind and authenticate to the directory server. This policy is enforced
by the following ACI:
dn: dc=mydomain,dc=example,dc=com
aci: (targetattr!="userPassword || nisSecretKey")(version 3.0; acl "[ALL:READ:
NOT-PRIVATTRS] Enable proxied access"; allow (read, search, compare) userdn
="ldap:///all";)
Basically, this ACI states that if the name of the attribute (any attribute defining managed information)
is neither userPassword nor nisSecretKey, then it is visible to anyone who can bind to the
directory server (ldap:///all).
To assure that HP-UX hosts can retrieve user, group, and other information from the directory server,
the HP-UX OS must bind to the directory server on behalf of the users using the OS. To do this, a
proxy entry must be created in the directory server that represents the host and its OS. This is known
as the proxy user. The customized installation requires that you create the proxy user manually.
The guided installation automatically creates an entry in the directory server. This user (the host
entry) is created with a randomly-generated password. The information is recorded in the /etc/
opt/ldapux/pcred file.
2.3.2.3.2 Access control rights
To assure that administration rights are limited to specific individuals, access control instructions
are placed in the directory server to allow for administrator modification, owner modification, and
user self-modification:
• Administration groups access control rights: These allow for three levels of administration.
Three types of administration groups are created to allow management of data in the directory
server:
◦ UserAdmins allows its members to create, modify, and remove user accounts. This
includes the ability to adjust user attributes, including passwords, account numbers, and
so forth. Members of this group can also manage groups, including creating, modifying,
and deleting groups, and adding and removing group members. The rights for
UserAdmins are granted with the following ACIs:
dn: ou=People,dc=mydomain,dc=example,dc=com
aci: (targetattr = "objectclass || cn || manager || gidNumber || givenName ||
homeDirectory || homePhone || memberUid || memberURL || memberOf || ou || s
n || uid || uidNumber || uniqueMember || userPassword || userCertificate") (
target = "ldap:///ou=People,dc=mydomain,dc=example,dc=com")(version 3.0;acl
"[USERADMIN:ALL:USERATTRS] Allow changes to User attributes by User Administ
rators";allow (all)(groupdn = "ldap:///cn=UserAdmins,ou=Groups,dc=mydomain,d
c=example,dc=com");)
dn: ou=Groups,dc=mydomain,dc=example,dc=com
aci: (targetattr = "cn || objectclass || member || uniqueMember || memberUid |
| gidNumber ")(version 3.0;acl "[USERADMIN:WRITE:USERGROUPATTRS] Allow User
Administrator Rights to modify group membership";allow (write) (groupdn = "l
dap:///cn=UserAdmins,ou=Groups,dc=mydomain,dc=example,dc=com");)
◦ HostAdmins allows its members to create, modify, and remove host accounts. This
includes the ability to adjust host attributes, including passwords, host names, IP addresses,
and so forth. Members of this group can also manage groups, including creating,
modifying, and deleting groups, and adding and removing members from these groups.
The rights for HostAdmins are granted with the following ACIs:
dn: ou=Groups,dc=mydomain,dc=example,dc=com
aci: (targetattr = "cn || objectclass || member || uniqueMember") (version 3.0
;acl "[HOSTADMIN:WRITE:HOSTGROUPATTRS] Allow Host Administrator Rights to mo
dify group membership";allow (write) (groupdn = "ldap:///cn=HostAdmins,ou=Gr
oups,dc=mydomain,dc=example,dc=com");)
dn: ou=Hosts,dc=mydomain,dc=example,dc=com
aci: (targetattr = "objectclass || cn || owner || host || ipHostNumber || ipNe
tmaskNumber || ipNetworkNumber || ipProtocolNumber || ipServicePort || ipSer
38 Installing and configuring LDAP-UX Client Services for an HP server environment