ldaphostmgr.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldaphostmgr(1M) ldaphostmgr(1M)

Note, to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password

must not be speciﬁed as command-line options to the

ldaphostmgr utility.

Security Considerations

• Use of

ldaphostmgr requires permissions of an LDAP administrator when it performs its operations

on the directory server. The rights to create new LDAP directory entries under the requested subtree,

along with creation of the required attributes in that entry must be granted to the LDAP administra-

tor identity that is speciﬁed when executing

ldaphostmgr.

• When creating, changing or validating the host keys of a remote host,

ldaphostmgr will attempt to

create a session on the remote host using the identity of the user running the

ldaphostmgr com-

mand. This means the speciﬁed LDAP identity must have an associated posixAccount object class.

The session to the remote host will be established using

ssh itself. If the ssh public key for the

remote host is not deﬁned in the directory server or in a local knownr

hosts ﬁle, the user will be

prompted before creating a connection to the remote host (since in this condition, it is possible the

remote host is an imposter). Such connections should not be allowed unless the key ﬁngerprint can be

validated.

• If the current user has sufﬁcient privilege to modify the sshPublicKey attribute in representative host

entry in the directory server,

ldaphostmgr will allow the current user to modify the public and

private key pairs for the host (local or remote).

ldaphostmgr runs as a setuid program and will

temporarily elevate its privilege in this situation.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy. Users of

ldaphostmgr are expected to have full

knowledge of the impact to the organization’s security policy when adding, removing or modifying host

information to that repository.

• In order to support non-interactive use of the

ldaphostmgr command, speciﬁcation of the LDAP

user’s credentials is required through use of the

LDAP_BINDDN and LDAP_BINDCRED

environment

variables. To prevent exposure of these environment variables, they should be unset after use.

Note also that the shells (4) command history log may contain copies of the executed commands that

show setting of these variables. Access to a shell’s history ﬁle must be protected. As an alternative,

the environment variables used by

ldaphostmgr may be speciﬁed in a ﬁle, using the

-E option.

Speciﬁcation of the LDAP administrator’s credentials on the command line is not allowed since infor-

mation about the currently running processes can be exposed externally from the session. Allowing

interactive prompting for these credentials (not specifying

-X) eliminates the need to set the men-

tioned environment variables.

WARNINGS

Under common usage, ldaphostmgr uses the LDAP replace operation when changing values of an attri-

bute in an entry. This feature can impact attributes that have multiple values, by removing all

occurrences of an attribute value and replacing it with the one speciﬁed on the

ldaphostmgr command

line. For example, if the

-c argument is used to specify a new description for a host , all occurances of

the description attribute will be replaced by the value speciﬁed for the

-c argument. This mode of opera-

tion applies to -I command argument as well.

When the attr

=value parameter is used to modify an existing attribute, the ldaphostmgr command

will also use the LDAP replace operation. The replace operation will remove all occurrences of the

speciﬁed attribute for an entry and replace it with the value speciﬁed. If there are multiple values for a

single attribute in an entry, the use of a single attr =value parameter will replace all values with the sin-

gle value speciﬁed on the command line.

Note that it is possible to specify more than one occurrence of the same attribute on the command line, if

that attribute is multi-valued; in which case, both values will be created in the entry.

Use of

-A or -R changes this behavior (for both the above-listed command arguments and the attr =value

parameters). Any attribute speciﬁed as an argument to the -A or -R option will cause ldaphostmgr to

perform an LDAP add operation instead of an LDAP replace operation.

Example: Suppose an entry in an LDAP directory appears as follows:

dn: cn=chef,ou=Hosts,dc=cup,dc=hp,dc=com

cn: chef

ipHostNumber: 192.0.10.10

objectClass: top

8 Hewlett-Packard Company − 8 − HP-UX 11i v3: June 2010 Web Release