Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
10
Table 1
Map Name Location in Directory Tree
passwd ou=People,ou=NIS,o=hp.com
group ou=Groups,ou=NIS,o=hp.com
aliases ou=mailGroups,ou=NIS,o=hp.com
fstab ou=Mounts,ou=NIS,o=hp.com
netgroup.byuser nisMapName=netgroup.byuser,ou=NIS,o=hp.com
ngetgroup.byhost nisMapName=ngetgroup.byhost,ou=NIS,o=hp.com
netgroup ou=Netgroups,ou=NIS,o=hp.com
hosts ou=Devices,ou=NIS,o=hp.com
networks ou=tcpIp,ou=NIS,o=hp.com
protocols ou=tcpIp,ou=NIS,o=hp.com
rpc ou=tcpIp,ou=NIS,o=hp.com
services ou=tcpIp,ou=NIS,o=hp.com
Note: The above table is based on the examples from the revision to RFC 2307 which is currently
a draft proposal.
Limiting login Shell Values
On HP-UX, a user may change his shell with the chsh command. However, the user may only select his
login shell from a limited selection of shells. This selection is defined by the operating system, or by the
HP-UX system administrator (by creating an /etc/shells file.) This default list on HP-UX 11.00 is:
/sbin/sh
/usr/bin/sh
/usr/bin/rsh
/usr/bin/ksh
/usr/bin/rksh
/usr/bin/csh
/usr/bin/keysh
If the Directory Administrator would like to give the HP-UX user the ability to change his shell, then the
directory server must allow the user to modify the loginshell attribute. (The ACIs described in the
"Protecting passwd Attributes (IMPORTANT)" section above do allow the user to modify his loginshell
attribute.) However, by default, the directory server does not understand the concept of a "valid shell." So,
the user would be able to change the loginshell value to any value. Although this probably would not create
a security problem on the HP-UX system, it may break a users ability to login to the system if the value
placed in the loginshell attribute is not a valid path to an executable or shell. As an example, the FTP server
will now allow a user to login if he does not have a valid shell.
Neither the NIS/LDAP Gateway nor LDAP-UX Client Services products currently support modification to
the LDAP directory through the chsh command. Thus, a user wishing to modify his loginshell would have
to modify the directory directly using directory administration tools. In this case, the user could make a
mistake.
Some directory products allow the administrator to create plug-ins (triggers) that are executed when data is
examined or modified. If the Directory Administrator would like to prevent the loginshell attribute from
containing an invalid value, a trigger could be created to disallow the modification, unless the value is from
a specified list, defined by the trigger. Refer to your directory server's product documentation to discover if
operation triggers are supported and how to implement them.