Manualshelf

Preparing your LDAP Directory for HP-UX Integration

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
31323334353637383940
34
netgroup.byhost maps, given a netgroup file as input.
LDAP directories do provide similar features as netgroups. And if possible, discontinuing use of netgroups
will eliminate the problems described above. However, migrating away from netgroups may be challenging.
And as such, the Directory Administrator and HP-UX System Administrator should be prepared to create
automated processes to manage the netgroup data in the directory.
The groupOfUniqueNames Object Class
The posixGroup, defined by RFC 2307, contains attributes that represent the values in the entries of the
/etc/group file. Members of the posixGroup are represented by the memberUid attribute. Values of the
memberUid are uid names, such as karen32, bjones, etc… However in the LDAP world groups are more
commonly represented by the groupOfNames or groupOfUniqueNames object classes. The members of the
groupOfNames or groupOfUniqueNames object classes are represented by the member and uniqueMember
attributes. Values represented in the member attribute are distinguished names. Values of the
uniqueMember attribute are also distinguished names, with and optional unique string. What this basically
means is that members of an LDAP group are represented by their distinguished names instead of a short uid
string.
The groupOfUniqueNames or groupOfNames object classes are recommended structural classes for the
posixGroup object class. As such, you may use preexisting directory groups to represent Posix groups
simply by adding the posixGroup object class to a groupOfUniqueNames or groupOfNames entry. This is an
extremely powerful integration feature. This means that HP-UX and other LDAP based applications can
share the same group membership. However, one limitation to using groupOfUniqueNames or
groupOfNames to represent a Posix group is the limitation the Posix system has on the size of the group
membership (see "Group and Netgroup Size Limitations" earlier in this document for additional details.)
Aside from the size limitation, you should be aware that when adding a posixGroup object class to a
groupOfUniqueNames or a groupOfNames entry, the userPassword attribute will become part of the entry if
it the password contains a value. And as described above, this means that users who know that password
may be able to modify the group entry in the database.
At this time, only the NIS/LDAP Gateway product supports the groupOfUniqueNames and groupOfNames
object class to define HP-UX group membership.