ldapugdel.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapugdel(1M) ldapugdel(1M)

If either of the environment variable LDAP_BINDDN

or LDAP_BINDCRED has not been speciﬁed,

ldapugdel will consult the ldapux (5) conﬁguration for additional information:

• The type of credential (user, proxy or anonymous) to use.

• The credential used for binding as a proxy user (either

/etc/opt/ldapux/acred

for administra-

tive users or

/etc/opt/ldapux/pcred

for non-privileged users).

As with ldapux (5),

ldapugdel will attempt to contact the ﬁrst available directory server as deﬁned in

the ldapux (5) host list. As soon as a connection is established, further directory servers on the host list

will not be contacted.

Once connected,

ldapugdel will ﬁrst determine if the environment variable

LDAP_BINDDN or

LDAP_BINDCRED

has been speciﬁed. If so, then ldapugdel will attempt to bind to the directory server

using the speciﬁed credentials and conﬁgured LDAP-UX authentication method.

If the above mentioned environment variables have not been speciﬁed, then

ldapugdel will determine

if the conﬁgured credential type is "proxy" and if so, attempt to bind to the directory server using the

conﬁgured LDAP-UX proxy credential.

If conﬁgured, the acred proxy credential will be used for administrative users (determined if the user run-

ning

ldapugdel has enough privilege to read the

/etc/opt/ldapux/acred

ﬁle). Otherwise the

credential conﬁgured in

/etc/opt/ldapux/pcred

will be used.

Note: to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password

may not be speciﬁed as command-line options to the

ldapugdel utility.

Security Considerations

• Use of

ldapugdel requires permissions of an LDAP administrator when it performs its operations

on the directory server. The rights to delete or modify existing LDAP directory entries under the

requested subtree, along with removal of the required attributes in that entry must be granted to the

administrator identity that is speciﬁed when executing ldapugdel.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy. Users of

ldapugdel are expected to have full

knowledge of the organizations security policy and the impact of deleting identity information from

that identity repository.

• Removal of a POSIX account will not automatically remove that account’s membership in groups,

unless that capability is intrinsically provided by the directory server.

Note some directory servers have a feature called "referential integrity" which does perform

modiﬁcation/removal of DN-type attributes if the speciﬁed DN is either changed or removed.

• Never use

ldapugdel as part of a modiﬁcation process on a user or group entry (deleting and re-

adding the entry as a method used to modify that entry.) User and group entries in an LDAP direc-

tory will often contain information about the user or group that is outside the POSIX information

model. Deleting and re-adding an entry will delete all information about the user or group. When the

entry is re-added, recovery of the non-POSIX information may not be possible.

• In order to support non-interactive use of the

ldapugdel command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED

environment variables. To prevent exposure of these environment variables, they should be unset

after use.

Note also that shells (4) command history log may contain copies of the executed commands that show

setting of these variables. Access to a shell’s history ﬁle must be protected. Speciﬁcation of the LDAP

administrator’s credentials on the command line is not allowed since information about the currently

running processes can be exposed externally from the session.

Use of the

-P eliminates the need to set the mentioned environment variables by interactively prompt-

ing for the required credentials.

LDAP-UX PROFILE

ldapugdel makes use of the LDAP-UX conﬁguration proﬁle to determine the information model used in

the directory server to store POSIX attributes. Please refer to the LDAP-UX Client Services

Administrator’s Guide for additional information about the conﬁguration proﬁle.

4 Hewlett-Packard Company − 4 − HP-UX 11i v3: June 2010 Web Release