Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
81828384858687888990
aci:(targetattr ="objectclass||nispublickey||nissecretkey")
(version 3.0;acl "Allow keyadmin to change key pairs";
allow (read,write,compare)
userdn="ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com";)
2.4.7.4.2 Setting ACI for a user
With the HP-UX Directory Server, you must set up an ACI which gives a user permission to change
his own nissecretkey and nispublickey attributes. To set up ACI for a user, use the Directory
Server Console or ldapmodify.
An Example
The following ACI gives a user permission to change his own nissecretkey and nispublickey
attributes for user keys:
dn:ou=People,dc=org,dc=hp,dc=com
aci:(targetattr ="nissecretkey||nispublickey")(version 3.0;
acl "Allow key self modification";allow (write)
(userdn = "ldap:///self");)
2.4.7.5 Configuring the serviceAuthenticationMethod attribute
serviceAuthenticationMethod is a newly supported attribute of the configuration profile,
/opt/ldapux/ldapux_profile.ldif. Its function is the same as authenticationMethod,
but it allows authentication configuration for specific name services. The
serviceAuthenticationMethod attribute is created to resolve issues that might arise when
the default authentication method is not considered secure enough for specific name services. For
example, if the default authenticationMethod is configured as NONE then the newkey and
chkey commands would not know how to properly bind to the directory server when changing
or adding key pairs. LDAP-UX only supports the serviceAuthenticationMethod attribute for
the keyserv service, since the keyserv service is the only one that currently needs modification
of privileges in the directory server.
To perform newkey and chkey operations, LDAP-UX binds the Admin Proxy user to the LDAP
directory using the authentication method specified in serviceAuthenticationMethod.
LDAP-UX only supports serviceAuthenticationMethod for keyserv. Any other services
configured in serviceAuthenticationMethod will be ignored.
Configuring serviceAuthenticationMethod is optional. If you do not configure
serviceAuthenticationMethod, LDAP-UX binds the Admin Proxy user to the LDAP directory
using the authentication method specified for the proxy user.
2.4.7.5.1 Authentication methods
LDAP-UX Client Services supports the following authentication methods for the keyserv service:
simple with SSL enabled
SASL/GSSAPI or SASL/DIGEST-MD5 with SSL enabled
simple with SSL disabled
SASL/GSSAPI or SASL/DIGEST-MD5 with SSL disabled
NOTE: SASL/GSSAPI is only supported for LDAP-UX used with Windows ADS.
SSL settings for both authenticationMethod and serviceAuthenticationMethod must
be set the same. It is not supported to have SSL enabled for authenticationMethod and SSL
disabled for serviceAuthenticationMethod, or vice versa.
For an overview of these various authentication methods, including their strengths and weaknesses,
see Section 2.4.6.1 (page 79).
2.4 Customized installation (setup) for an HP directory server environment 87