Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
9
gidNumber and userPassword. This can be accomplished in several ways. Here are three examples...
Example 1: If the posixGroup entries are stored in their own subtree, you can add an ACI to the entry at the
top of the subtree that prevents modifications by everyone except for Directory Administrators. For
example, assume that all posixGroup entries are stored in their own subtree called
ou=groups,ou=nis,o=hp.com. An example ACI with a Netscape 4.x server would be added to the
ou=groups,ou=nis,o=hp.com entry and appear as follows:
aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group
entries";deny (write) (groupdn != "ldap:///ou=Directory Administrators,
o=hp.com");)
The above ACI only allows members of the "ou=Directory Administrators,o=hp.com" subtree, to make
modifications to all the entries under ou=groups,ou=nis,o=hp.com
Example 2: The Directory Administrator can protect just the specific attributes of the posixGroup object
class (mentioned above.) Again, at the top of the subtree where the posixGroups are stored, create a new
ACI that protects only those attributes. Another example with Netscape 4.x is as follows:
aci: (targetattr = "cn || memberuid || gidnumber || userPassword") (version
3.0;acl "Disallow modification of group entries";deny (write) (groupdn !=
"ldap:///ou=Directory Administrators, o=hp.com");)
The above ACI denies write access to the cn, memberuid, gidnumber and userPassword attributes to all
users except for directory administrators.
Example 3: If passwords were not used (or not known by the average user,) the userPassword attribute can
take on a new role. Instead of using the password to allow access to a group, the password can be used to
control who administers the group. If the password is known only by a group administrator, then the group
administrator can use this password to modify the group (add or delete members.) And thus, the Directory
Administrators can distribute administration of groups to selected users. No separate ACI is needed because
only users who know each group's password could modify their posixGroup entry.
Protecting Other Posix Attributes
Migration tools provided with the HP-UX LDAP Integration product will migrate all entries in NIS
databases or /etc/… files (/etc/passwd, /etc/group, etc...) to individual entries within their own subtrees in the
directory. Only the group and passwd files contain passwords. So by default, the average user is not able to
modify most Posix naming data within the LDAP directory. As long as the average user is not allowed to
modify these entries, no security risk exists like in the passwd and group example. However, the Directory
Administrator must ensure that his directory server has adequate access control restrictions (ACLs) that
prevent the average user from modifying these entries.
The following table shows where a default migration would place the Posix databases in a directory tree.
Assume for this example that your organization is called "o=hp.com" and that you decided to place all your
NIS databases under the "ou=NIS" organizational-unit in your tree. Use this table the help find your Posix
data in for directory tree. You should assure that entries under these subtrees are protected from
uncontrolled modification.