Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
7
Security Considerations
When migrating Posix data (NIS databases or /etc/... files) to an LDAP based directory, the Directory
Administrator and HP-UX system administrator must be aware of certain issues that exist once HP-UX
relies on LDAP as a back-end name service and/or authentication system. This section attempts to address
some of the issues that can arise. This section will inform you how to protect the Posix data once placed in
the directory, as well as explain how to assure the data is available and in the correct format to allow proper
HP-UX operation.
Protecting Posix Attributes
Some directories by default allow any user to read all information in the directory. Some directories restrict
viewing access to certain attributes. And some directories by default allow a user to modify any of his or
her personal information. Known as access control, most directories allow the Directory Administrator to
control who is authorized to access data, and what type of access that user is allowed (read, write, insert,
delete, compare) through Access Control Lists (ACLs.)
The choice of what can be accessed by users, and what type of access is granted is up to the Directory
Administrator. However, when HP-UX account information is integrated into an LDAP directory, the
Directory Administrator needs to be aware of special authorization requirements.
By default, both the NIS/LDAP Gateway product and LDAP-UX Client Services product use the Posix
schema defined in RFC 2307. These attributes in the RFC 2307 schema contain the same data that is stored
in the /etc/passwd, /etc/group, /etc/protocols, etc.. files. These files also are used to create the NIS databases
(also referred to as NIS maps.)
On an HP-UX system, these files are readable by any user on the system, but only writable by the root user.
However, through certain commands, any HP-UX user can modify his personal information. As an
example, the user can change his phone number (using the chfn command) or change his shell (using
chsh.) This personal information is stored in the /etc/passwd file.
Once this data is migrated into an LDAP directory, some of this information must be protected from the
average user making modifications to it.
Protecting passwd Attributes (IMPORTANT)
Some Directory Administrators allow users to modify their own account information in an LDAP directory.
(This is a default feature of a Netscape 4.x Directory server, when installed using the "typical" installation
process.) Because the fields of the passwd database are placed in the users entry, allowing the user to
modify his own Posix attributes creates a security risk.
The posixAccount object class (defined by RFC 2307) contains the following attributes, which represent the
fields of the /etc/passwd file:
uid, userPassword, uidnumber, gidnumber, gecos, homedirectory, loginshell & description
On an HP-UX system, only the password, gecos and loginshell fields may be updated by the owning user.
And this modification is allowed only through a limited set of commands (passwd, chfn, & chsh.)
However, if this information is placed in an LDAP directory, and that directory allows the owning user to