Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
8
modify his own attributes, then that user can now modify any of the Posix fields. For example, without
protecting the critical Posix attributes, the user could change his own uidnumber.
To maintain the security of the HP-UX system, the Directory Administrator must assure that only valid
Directory Administrators are allowed to modify most of the posixAccount attributes. The Directory
Administrator may still allow users to modify their own entries as long as the uid, uidnumber, gidnumber
and homedirectory fields are protected from user self modification. Though to maintain functionality
similar to Posix, the loginshell, userPassword and gecos fields could remain writable by the owning user.
Here is one example of how this can be done:
With a Netscape 4.x directory, the following ACI (Access Control Instruction) exists at the top of the
directory tree (suffix):
aci: (targetattr = "*")(version 3.0; acl "Allow self entry modification"; allow
(write)userdn = "ldap:///self";)
The above ACI allows the user to modify any attribute in his own entry (which creates a security hole for
Posix systems.) This ACI can be modified to protect the critical Posix attributes as follows:
aci: (targetattr != "uidnumber || gidnumber || homedirectory || uid")(version 3.0;
acl "Allow self entry modification, except for important Posix attributes"; allow
(write)userdn = "ldap:///self";)
The above ACI allows the user to modify all his own attributes except for the uidnumber, gidnumber,
homedirectory and uid.
Protecting Group Entries
Group entries in an /etc/group file or NIS group database are protected from the average user making
modifications on an HP-UX system. Only the root user may modify an /etc/group file or build a new NIS
group map. However, because the group entry contains a password, the Directory Administrator may need
to take additional precautions to protect those entries in the directory.
FYI: The purpose of the password field in a group entry on a Posix system is this: If a user is not a
member of a Posix group, but knows the password for that group, he may enter the password to
become a member of that group with the newgrp command. However, when a group entry is
migrated to an LDAP directory, this password takes on a different role. A user that knows the
group password can authenticate to the LDAP directory server as that group (as far as the
directory server is concerned, the group is just another entry type that a user can authenticate as.)
So, given this, the Directory Administrator needs to make sure that a user authenticating to the
directory using the group entry, cannot make unwanted modifications to the directory. By
default, on a typical Netscape 4.x server, a user is allowed to modify his own entry. But in this
situation, any user that knows the group password can modify the group entry in the directory.
The posixGroup object class (defined by RFC 2307) contains the following attributes, which represent the
fields of the /etc/group file:
cn, userPassword, gidnumber, memberuid & description
To prevent a user from modifying the group entries in the directory, the Directory Administrator should
protect the critical attributes of the posixGroup object class. These attributes are cn, memberUid,