ldaphostmgr.1m (2010 09)
l
ldaphostmgr(1M) ldaphostmgr(1M)
prompts.
-Z Require an SSL connection to the directory server, even if the ldapux (5)
configuration does not require the use of SSL.
Use of
-Z requires either a valid server or CA certificate be defined in the
/etc/opt/ldapux/cert8.db
file. An error will occur if the SSL connection
could not be established. Refer to Binding to the Directory Server below for addi-
tional details.
-ZZ Attempt a TLS connection to the directory server, even if the ldapux (5)
configuration does not require the use of TLS. If a TLS connection is unable to be
established, a non-TLS and non-SSL connection will be established.
Use of
-ZZ is not recommended unless alternative methods are used to protect from
network eavesdropping. Use of
-ZZ requires either a valid server or CA certificate
be defined in the
/etc/opt/ldapux/cert8.db
file. Refer to Binding to the
Directory Server below for additional details.
-ZZZ Requires a TLS connection to the directory server, even if the ldapux (5)
configuration does not require the use of TLS.
Use of
-ZZZ requires either a valid server or CA certificate be defined in the
/etc/opt/ldapux/cert8.db
file. An error will occur if the TLS connection
could not be established. Refer to Binding to the Directory Server below for addi-
tional details.
Object Classes
By default,
ldaphostmgr will use the device and ipHost object class when creating new entries (or the
computer object class for ADS). Using certain options will result in additional attributes and their
corresponding object classes being added to host entries that are being created or modified. These include
the following object classes:
•
ldapPublicKey used when the
-k option is specified.
•
domainEntity used when -r or -P options options are specified.
The ldapPublicKey and domainEntity object classes will not be added to entries stored in ADS.
Binding to the Directory Server
ldaphostmgr has been designed to take advantage of the existing ldapux (5) configuration for determin-
ing to which directory server to bind and how to perform the bind operation. ldaphostmgr will consult
the ldapux (5) configuration profile for the following information:
• The list of LDAP directory server hosts.
• The authentication method (simple passwords, SASL Digest MD5, etc...)
If either of the environment variables LDAP_BINDDN or LDAP_BINDCRED have not been specified,
ldaphostmgr will also consult the ldapux (5) configuration for additional information:
• The type of credential (user, proxy or anonymous) to use.
• The credential used for binding as a proxy user (either
/etc/opt/ldapux/acred for admin-
istrative users or
/etc/opt/ldapux/pcred for non-privileged users.)
As with ldapux (5),
ldaphostmgr will attempt to contact the first available directory server as defined
in the ldapux (5) host list. As soon as a connection is established, additional directory servers on the host
list will not be contacted. Once connected, ldaphostmgr will first determine if the environment vari-
ables LDAP_BINDDN or LDAP_BINDCRED have been specified. If both are specified, then lda-
phostmgr will attempt to bind to the directory server using the specified credentials and configured
LDAP-UX authentication method. If either of the above-mentioned environment variables have not been
specified, then ldaphostmgr will determine if the configured credential type is "proxy" and if so,
attempt to bind to the directory server using the configured LDAP-UX proxy credential. If configured, the
acred proxy credential will be used for administrative users (determined if the user running lda-
phostmgr has enough privilege to read the /etc/opt/ldapux/acred file).
Note that when a user is managing a remote host, the specified credential must also have POSIX account
attribute specified in his or her directory server entry. This means that if the acred credentials are used,
they too must represent a POSIX account.
HP-UX 11i v3: June 2010 Web Release − 7 − Hewlett-Packard Company 7