LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
aci: (targetattr != "uidnumber || gidnumber || homedirectory || uid") (version
3.0; acl "Allow self entry modification, except for important POSIX attributes";
allow (write)userdn = "ldap:///self";)
You might have other attributes you need to protect as well.
To change an ACI with the Directory Server Console, select the Directory tab, select your
directory suffix in the left-hand panel, then select the Object→Set Access Permissions menu
item. In the dialog box, select the "Allow self entry modification" ACI and click OK. Use the
Set Access Permissions dialog box to modify the ACI. For more information about changing
an ACI with the Directory Server Console, see the HP-UX Directory Server administrator guide.
3. Restrict write access to certain group (posixGroup) attributes of the POSIX schema.
Grant write access of the cn, memberuid, gidnumber, and userPassword attributes only to
directory administrators; disallow write access by all other users.
With the HP-UX Directory Server, you may use the Directory Server Console or ldapmodify
to set up access control lists (ACL) so ordinary users cannot change these attributes in the
posixGroup entry in the directory. For example, the following ACI, placed in the directory at
ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify entries
below ou=groups,ou=unix,o=hp.com:
aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators,
o=hp.com");)
4. Grant read access of all attributes of the POSIX schema.
Ensure all users have read access to the POSIX attributes.
When using PAM_LDAP as your authentication method, users do not need read access to the
userPassword attribute since the authentication is handled by the directory itself. Therefore,
for better security, you can remove read access to userPassword from ordinary users.
5. Configure anonymous access, if needed. If you do not configure a proxy user, then the attributes
of your name service data must be readable anonymously.
6. Create a proxy user in the directory, if needed.
To create a proxy user with the HP-UX Directory Server, go to the directory server's main
Console, select the Users and Groups tab, and then click on the Create button. For example,
you might create a user uid=proxyuser,ou=Special Users,o=hp.com.
7. Set access permissions for the proxy user, if configured.
Give read permission for the POSIX account attributes to the proxy user created previously.
With HP-UX Directory Server, for example, the following ACI gives a proxy user permission
to compare, read, and search all POSIX account attributes except the userPassword attribute:
aci: (target="ldap:///o=hp.com")(targetattr!="userpassword")
version 3.0; acl "Proxy userpassword read rights";
allow (compare,read,search)
userdn = "ldap:///uid=proxyuser,ou=Special Users,o=hp.com";)
8. The default ACI of Netscape Directory Server 6.11 allows a user to change his own common
attributes. But, for Netscape Directory Server 6.21 or later, you must set an ACI that gives a
user permission to change his own common attributes. By default, the Netscape Directory
Server 6.21 or later provides the following ACI named Enable self write for common
attributes that gives a user permission to change his own common attributes:
aci: (targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox
||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street
||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword
||userSMIMECertificate ||x500UniqueIdentifier")
(version 3.0; acl "Enable self write for common attributes"; allow (write)
(userdn = "ldap:///self"))
66 Installing and configuring LDAP-UX Client Services for an HP server environment