Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
11121314151617181920
11
Setting Up Access Controls for Proper HP-UX Operation
As mentioned earlier in this section, HP-UX allows anyone on the system to read the files mentioned in
Table 1 on page 10. Most HP-UX operations require global read access. For example, suppose that the
/etc/group file was not readable by the average HP-UX user. Here is what happens when that user types the
"ls -l" command.
Instead of seeing this:
total 41
-rw-rw-r-- 1 joe_e ldap 3187 Jun 8 13:45 README
-rw-rw-r-- 1 joe_e ldap 349 Jun 9 18:08 entry_template
-rwxr-xr-x 1 joe_e ldap 8668 Jun 9 17:56 ldap_mod_entry
-rwxr-xr-x 1 joe_e ldap 6045 Jun 9 18:06 ldap_new_entry
The user would see this:
total 41
-rw-rw-r-- 1 joe_e 2112 3187 Jun 8 13:45 README
-rw-rw-r-- 1 joe_e 2112 349 Jun 9 18:08 entry_template
-rwxr-xr-x 1 joe_e 2112 8668 Jun 9 17:56 ldap_mod_entry
-rwxr-xr-x 1 joe_e 2112 6045 Jun 9 18:06 ldap_new_entry
The same problem will occur if the user is not allowed to view the entries or the attributes under the
ou=Groups subtree. This can cause more significant problems for other databases (such as the services or
protocols database.) Thus, the Directory Administrator should assure that authenticated users (or anyone)
can view all the entries under the map subtrees. Typically, this is a default for most directory servers.
Directory Read Access Requirements
In order for the HP-UX system to use the LDAP directory as a back-end naming service, the NIS/LDAP
Gateway and LDAP-UX Client Services products must bind to the LDAP directory. These agents can bind
as an anonymous user or as a pre-defined proxy user. A proxy user is a directory user that accesses the
LDAP directory on behalf of the users of the HP-UX system. The proxy user is given read access rights
(typically not write access rights) to the Posix data. A proxy user is typically required by the NIS/LDAP
Gateway and LDAP-UX Client Services products in order to be given read access rights to the userPassword
attribute. The userPassword attribute is typically not visible to regular directory users.
NIS/LDAP Gateway & Read Access Requirements
As long as the proxy user is able to read all the Posix entries in the directory, the Directory Administrator
may choose to limit read access to other users. If you choose not to use a proxy user, then all Posix data in
the directory must be readable by anyone (this includes the userPassword attribute.)
LDAP-UX Client Services & Directory Read Access Requirements
The LDAP-UX Client Services product has the same read access requirements to Posix data as the
NIS/LDAP Gateway product, with one exception: