Manualshelf

LDAP-UX Integration B.05.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
12345678910
ldaphostlist
Use the ldaphostlist tool to display and enumerate host entries that reside in an
LDAP-based directory server. Although ldaphostlist provides output similar to the
ldapsearch command, it satisfies a few specific feature requirements that allow
applications to discover and evaluate hosts stored in an LDAP directory server without
requiring intimate knowledge of the methods used to retrieve and evaluate that information
in the LDAP directory server. In addition, ldaphostlist can be used to discover
expiration information about ssh host keys if that information is managed in the directory
server.
For detailed information about tool usage, syntax, options, environment variables and return
codes supported by these tools, refer to the LDAP-UX Client Services B.05.01 Administrator
Guide or the ldaphostmgr(1M) and ldaphostlist(1M) manpages.
The ignore option for PAM_LDAP support
If PAM_LDAP is configured to be the first service module in the /etc/pam.conf file (a typical
configuration in the Trusted Mode Environment), then when you lose access to your directory
server, you will have trouble accessing the system unless a set of so-called recovery users
is configured in the /etc/pam_user.conf file. This release supports the ignore option
for PAM_LDAP, which enables PAM_LDAP to be completely disregarded for specific local
users.
To enable this feature, you must set the ignore option for PAM_LDAP in the pam_user.conf
file for per-user configuration. When you use this option for PAM_LDAP, PAM returns
PAM_IGNORE. For detailed information on how to configure and use this feature, refer to the
LDAP-UX Client Services B.05.01 Administrator Guide.
proxy_is_restricted and allowed_attribute flags added to configuration file
The proxy_is_restricted and allowed_attribute flags are added to the [general]
section of the configuration file, ldapclientd.conf:
proxy_is_restricted=yes|no
If the proxy user is configured in the LDAP-UX profile and defined in
/etc/opt/ldapux/pcred, this flag attests that the proxy user does not hold privileged LDAP
credentials, meaning the proxy user is restricted in its rights to access "private" information
in the directory server.
allowed_attribute=service:attribute
Some applications, like /opt/ssh/bin/ssh, use ldapclientd to access information
in the directory server, such as the sshPublicKey for users and hosts. By setting
allowed_attribute, applications can access any defined attribute even if the
proxy_is_restricted value is set to no(the default).
These configuration parameters are required to help the ldaphostlist and ldapuglist
tools determine if it is OK for them to display arbitrary attributes. If you used autosetup to
configure LDAP-UX, these values are automatically set. If you have an existing installation or
use the custom install setup program, and are also using a proxy user, you should update
these values.
2.2 What’s new in LDAP-UX Client Services B.05.00 9