LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
viceProtocol || sshPublicKey || oncRpcNumber || userPassword || userCertific
ate" )(version 3.0;acl "[HOSTADMIN:ALL:HOSTATTRS]: Allow changes to host att
ributes by Host Administrators";allow (all) (groupdn = "ldap:///cn=HostAdmin
s,ou=Groups,dc=mydomain,dc=example,dc=com");)
◦ DomainAdmins allows its members to have complete control of data managed under
the root suffix of the directory server. In other words, members can manage data used
by the local host OS and stored in the LDAP-UX domain. More specifically, this is the
data defined by the LDAP-UX configuration profile. Any member of this group is considered
a Domain Administrator. By default, the name of the Domain Administrator created by
the guided installation is domadmin. The rights for DomainAdmins are granted with the
following ACI:
dn: dc=mydomain,dc=example,dc=com
aci: (targetattr = "*")(version 3.0;acl "[DOMAINADMIN:ALL:ALLATTRS]: Allow changes
by Domain Administrators";allow (all) (groupdn = "ldap:///cn=DomainAdmins
,ou=Groups,dc=mydomain,dc=example,dc=com");)
• Owners access control rights: LDAP-UX 5.0 simplifies demarcating ownership of items in the
directory server. Owners are considered any users or members of a group that have a DN in
the owner attribute of the target entry. Currently, only one type of owner exists: owners of
hosts. The rights of these owners are granted with the following ACI:
dn: ou=Hosts,dc=mydomain,dc=example,dc=com
aci: (targetattr = "sshPublicKey || ipHostNumber")(version 3.0;acl "[OWNER:ALL
:HOSTOWNERATTRS]: Allow owner modification of host information";allow (all)
userattr = "owner#USERDN";)
Based on this ACI, an owner of a host may change a host’s IP address or sshPublicKey.
Modifications for other attributes would require that of a Host or Domain Administrator.
• Self (user) access control rights: To enable users to change their own passwords, some rights
must be granted to every user. These rights are granted through the following self-modify ACI:
dn: dc=mydomain,dc=example,dc=com
aci: (targetattr="carLicense || preferredLanguage || nisSecretKey || nisPublic
Key || sshPublicKey || userCertificate || userPassword || userSMIMECertific
ate || facsimileTelephoneNumber || homePhone || homePostalAddress || mobile
|| pager")(version 3.0; acl "[SELF:WRITE:SELFWRITEATTRS] Enable self write f
or common attributes"; allow (write) userdn="ldap:///self";)
As shown in this example, additional attributes (besides the user password) may be specified
to give users control of the associated entities, such as the car license (carLicense), preferred
language (preferredLangage), and so forth.
2.3.2.3.3 SSL/TLS and CA/server certificates
To assure the integrity of data that the directory server delivers to the HP-UX client, some means
must be established to validate the identity of the directory server. In addition, the data must be
protected in transit between the directory server and the HP-UX client. This is especially critical
when the directory server performs authentication for the HP-UX client, as the password of the
account being verified is transmitted to the directory server (when SIMPLE authentication is used).
To validate the identity of the directory server and encrypt data in transit, the guided installation
creates a CA certificate and a server certificate on the HP-UX host where the directory server
instance is created. These certificates serve to automatically enable SSL/TLS on the directory server.
To simplify distribution of the CA certificate, the guided installation automatically creates a depot
file that can be distributed to other HP-UX clients in the domain before configuring LDAP-UX on
them. This process preestablishes trust with the directory server. During the autosetup procedure,
you will see a message similar to the following, where mydomain.example.com is the name of
the LDAP-UX domain:
============================================================================
2.3 Guided installation (autosetup) for an HP directory server environment 39