LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
a previous version, and now update the product to version B.04.00 or later, you must rerun the
setup program to extend the publickey schema into your LDAP directory. You do not need to
rerun the setup program for the subsequent client systems. For detailed information on how to
run the setup program to extend the publickey schema into an LDAP directory, see Section 2.4.5.1
(page 69).
2.4.7.3 Admin Proxy user
A special type of proxy user, known as an Admin Proxy has been added to LDAP-UX to support
management of NIS publickey information in an LDAP directory server. The Admin Proxy represents
the HP-UX administrator's rights in the directory server and typically is used to represent root
privileges extended to the directory server. Only an Admin Proxy user is allowed to use the newkey
tool to add host and user keys into the LDAP directory server, or to use the chkey tool to modify
host keys in the LDAP directory server.
2.4.7.3.1 Configuring an Admin Proxy user by using ldap_proxy_config
You must use a new ldap_proxy_config tool option-A to configure an Admin Proxy user. You
must specify the -A option along with other options to perform operations applying to an Admin
Proxy user. For example, you can use the ldap_proxy_config -A -i command to create an
Admin Proxy user. For more information about using the ldap_proxy_config tool, see
Section 9.2.6 (page 280).
2.4.7.3.2 Password for an Admin Proxy user
To protect user secret keys in the LDAP directory, the secret keys are encrypted using the user's
password. This process is used in NIS environments. The host's secret key must also be encrypted.
Since the host itself does not have its own password, root's password is used to encrypt the host's
secret key. The chkey or newkey command prompts for root's password when changing or
adding a key for a host. For this reason, you might prefer to configure the Admin Proxy user in the
LDAP directory to have the same password as the root user on the master host.
Although it is not required that the Admin Proxy user and root user share the same password, this
helps you avoid storing the Admin Proxy user's password in the administrator's credential file
/etc/opt/ldapux/acred (this file and the pcred file are not encrypted). In this way, when
you run the ldap_proxy_config -A -i command to configure the Admin Proxy user, you
enter only Admin Proxy user's DN without the password. LDAP-UX will use the root password given
to the chkey and newkey commands as the Admin Proxy user's password to perform public key
operations. However, the ldap_proxy_config -A -v command is not able to validate the
Admin Proxy user because no password is available to ldap_proxy_config. As a result, the
message “No password is provided. Validation is not performed" is displayed.
2.4.7.4 Setting ACI for key management
Before storing public keys in an LDAP server, LDAP administrators might want to update their LDAP
access controls such that users can manage their own keys, and the Admin Proxy user can manage
host keys. This section describes how you set up ACIs for an Admin Proxy user or a user.
2.4.7.4.1 Setting ACI for an Admin Proxy user
With the HP-UX Directory Server, you may use the Directory Server Console or the ldapmodify
command to set up an ACI, which gives an Admin Proxy user permissions to manage host and
user keys in the LDAP directory.
An Example
The following ACI gives the permissions for the Admin Proxy user uid=keyadmin to read, write,
and compare nissecretkey and nispublickey attributes for hosts and users:
dn:dc=org,dc=hp,dc=com
86 Installing and configuring LDAP-UX Client Services for an HP server environment