Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
391392393394395396397398399400
granting access control rights. For HP-UX Directory Server, you can review the default self-write
rights granted to users in Section 2.3.2.3.2 (page 38). However, before you grant additional
rights, be aware of the security impact. For example, if you allow a user to modify his own
entityRole attribute, and that attribute is used to define access rights, then you may be
inadvertently granting access rights to other users.. In addition, if you want users to be able to
change their own login shell, you could grant self-write permissions to the loginShell attribute.
However, when you grant rights to modify the loginShell attribute, users would be able to
change it to any value, meaning they can modify any program. The chsh command limits what
valid shells may be used on a host. But users would be able to bypass that restriction if they are
granted self-write rights to the loginShell attribute.
HP-UX Directory Server users may also use the Directory Server Console to change personal
information. Windows ADS users can use the Active Directory Users and Computers tool.
Users may also use a simple LDAP gateway through a Web browser to display and change their
personal information.
10.2 Modifying personal information 393