ldapugadd.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapugadd(1M) ldapugadd(1M)

All LDAP-UX default template ﬁles will be stored in the

/etc/opt/ldapux/ug_templates

direc-

tory.

A full or relative path name must begin with either the slash (

/) or dot (.) characters. If unspeciﬁed,

either of the following default template ﬁle will be used:

•

/etc/opt/ldapux/ug_templates/ug_passwd_default.tmpl

,or

•

/etc/opt/ldapux/ug_templates/ug_group_default.tmpl

Binding to the Directory Server

ldapugadd has been designed to take advantage of the existing ldapux (5) conﬁguration for determining

to which directory server to bind and how to perform the bind operation.

ldapugadd will consult the

ldapux (5) conﬁguration proﬁle for the following information:

• The list of LDAP directory server hosts.

• The authentication method (simple passwords, SASL Digest MD5, etc.)

If either of the environment variables

LDAP_BINDDN or

LDAP_BINDCRED have not been speciﬁed,

ldapugadd will also consult the ldapux (5) conﬁguration for additional information:

• The type of credential (user, proxy or anonymous) to use.

• The credential used for binding as a proxy user (either

/etc/opt/ldapux/acred

for administra-

tive users or

/etc/opt/ldapux/pcred

for non-privileged users.)

As with ldapux (5),

ldapugadd will attempt to contact the ﬁrst available directory server as deﬁned in

the ldapux (5) host list. As soon as a connection is established, further directory servers on the host list

will not be contacted. Once connected, ldapugadd will ﬁrst determine if the environment variables

LDAP_BINDDN or LDAP_BINDCRED have been speciﬁed. If both are speciﬁed, then

ldapugadd will

attempt to bind to the directory server using the speciﬁed credentials and conﬁgured LDAP-UX authenti-

cation method.

If either of the above mentioned environment variables have not been speciﬁed, then

ldapugadd will

determine if the conﬁgured credential type is "proxy" and if so, attempt to bind to the directory server

using the conﬁgured LDAP-UX proxy credential. If conﬁgured, the acred proxy credential will be used for

administrative users (determined if the user running

ldapugadd has enough privilege to read the

/etc/opt/ldapux/acred

ﬁle). Otherwise the credential conﬁgured in /etc/opt/ldapux/pcred

will be used.

Note, to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password may

not be speciﬁed as command-line options to the

ldapugadd utility.

Security Considerations

• Use of

ldapugadd requires permissions of an LDAP administrator when it performs its operations

on the directory server. The rights to create new LDAP directory entries under the requested subtree,

along with creation of the required attributes in that entry must be granted to the LDAP administra-

tor identity that is speciﬁed when executing ldapugadd.

• As with any POSIX-type identity, the HP-UX operating system uses the speciﬁed user and group ID

number to determine rights and capabilities in the OS as well as in the ﬁle system.

For example, the root user ID 0, typically has unlimited OS administration and ﬁle access rights.

Before creating a new entry, be aware of the selected user and group ID number and any policy that

may be associated with that ID.

• If ldapugadd is used to randomly assign a user or group ID number, it only checks for ID collisions

found in the LDAP directory server, and not other policy repositories. When setting user and group

ID number ranges (-D option with either -u or -g) be sure to set a range that is not used by other

user or group ID repositories, to assure collisions would not occur with existing users or groups that

exist in other repositories.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy. Users of

ldapugadd are expected to have full

knowledge of the impact to the organization’s security policy when adding new identity information to

that identity repository.

• In order to support non-interactive use of the

ldapugadd command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED

environment variables. To prevent exposure of these environment variables, they should be unset

after use.

HP-UX 11i v3: June 2010 Web Release − 9 − Hewlett-Packard Company 9