Manualshelf

NIS/LDAP Gateway Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
21222324252627282930
include /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf
include /opt/ldapux/ypldapd/etc/slapd-v2.nis.conf
For information on the posix schema (RFC 2307), see http://www.ietf.org.
2. Restrict write access to certain passwd attributes of the posix schema.
CAUTION: Make sure you restrict access to the attributes listed below. Allowing users to
change them could be a security risk
Grant write access of the uidnumber, gidnumber, homedirectory, and uid attributes only
to the directory administrator; disallow write access by all other users. Set up access control
lists (ACL) so ordinary users cannot change these attributes in their password entry in the
directory. With Netscape/Red Hat Directory Server for HP-UX, you can use the Directory
Console or ldapmodify.
The following access control instruction (ACI) is by default at the top of the directory tree
for the Netscape directory. This ACI allows a user to change any attribute in their password
entry:
aci: (targetattr = "*") (version 3.0; acl "Allow self entry modification";
allow (write)userdn = "ldap:///self";)
Modify this ACI to the following, which prevents ordinary users from changing their
uidnumber, gidnumber, homedirectory, and uid attributes:
aci: (targetattr != "uidnumber || gidnumber || homedirectory || uid") (version
3.0; acl "Allow self entry modification, except for important posix attributes";
allow (write)userdn = "ldap:///self";)
You may want to restrict write access to other attributes in the password entry as well.
3. Restrict write access to certain group attributes of the posix schema.
Grant write access of the cn, memberuid, gidnumber, and userpassword attributes only to
the directory administrator; disallow write access by all other users. Set up access control
lists (ACL) so ordinary users cannot change these attributes in the posixGroup entry in the
directory. With Netscape/Red Hat Directory Server for HP-UX, you can use the Directory
Console or ldapmodify.
For example, the following ACI, placed in the directory at ou=groups, ou=nis,o=hp.com,
only allows the directory administrator to modify entries below
ou=groups,ou=nis,o=hp.com:
aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators,
o=hp.com");)
4. Grant read access of attributes of the posix schema.
Grant read access of all posix attributes to all users. If you have Netscape Directory Server/Red
Hat Directory Server for HP-UX, you can skip this step since it is the default for a typical
installation. If you have another directory, make sure all users have read access to the posix
attributes.
5. Establish UNIX crypt as the default encryption.
Netscape's default is SHA (Secure Hash Algorithm) encryption. With the Directory Console,
you can select the Configuration tab, then select the "Database" object, then the Passwords
tab, and change the Password encryption field.
Configure Your Directory 21