ldapugmod.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ldapugmod(1M) ldapugmod(1M)

ldapux (5) conﬁguration proﬁle for the following information:

• The list of LDAP directory server hosts.

• The authentication method (simple passwords, SASL Digest MD5, etc.)

If either of the environment variables

LDAP_BINDDN

or LDAP_BINDCRED have not been speciﬁed,

ldapugmod will also consult the ldapux (5) conﬁguration for additional information:

• The type of credential (user, proxy or anonymous) to use.

• The credential used for binding as a proxy user (either

/etc/opt/ldapux/acred

for administra-

tive users or

/etc/opt/ldapux/pcred

for non-privileged users.)

As with ldapux (5),

ldapugmod will attempt to contact the ﬁrst available directory server as deﬁned in

the ldapux (5) host list. As soon as a connection is established, further directory servers on the host list

will not be contacted.

Once connected,

ldapugmod will ﬁrst determine if the environment variables

LDAP_BINDDN and

LDAP_BINDCRED

have been speciﬁed. If so, then ldapugmod will attempt to bind to the directory

server using the speciﬁed credentials and conﬁgured LDAP-UX authentication method. If the above men-

tioned environment variables have not been speciﬁed, then

ldapugmod will determine if the conﬁgured

credential type is "proxy" and if so, attempt to bind to the directory server using the conﬁgured LDAP-UX

proxy credential.

If conﬁgured, the acred proxy credential will be used for administrative users (determined if the user run-

ning

ldapugmod has enough privilege to read the /etc/opt/ldapux/acred

ﬁle). Otherwise the

credential conﬁgured in

/etc/opt/ldapux/pcred

will be used.

Note, to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password may

not be speciﬁed as command-line options to the

ldapugmod utility.

Security Considerations

• Use of

ldapugmod requires permissions of an LDAP administrator when it performs its operations

on the directory server. The rights to modify existing LDAP directory entries under the requested

subtree, along with creation, modiﬁcation and removal of the required attributes in that entry must be

granted to the administrator identity that is speciﬁed when executing

ldapugmod.

• Note that as with any POSIX-type identity, the user and group ID number speciﬁed is used by the

HP-UX operating system to determine rights and capabilities in the OS as well as in the ﬁle system.

For example, a the root user ID 0, typically has unlimited OS administration and ﬁle access rights.

Before modifying an entry, be aware of the selected user and group ID number and any policy that

may be associated with that ID.

• Modiﬁcation (renaming) of a POSIX account will not automatically modify that account’s membership

in groups, unless that capability is intrinsically provided by the directory server.

Note some directory servers have a feature known as "referential integrity," which does perform

modiﬁcation/removal of DN-type attributes if the speciﬁed DN is either changed or removed.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organizations security policy. Users of

ldapugmod are expected to have full

knowledge of the organizations security policy the impact of modifying identity information in that

identity repository.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy.

For example, adding a new user with an user ID number shared with that of a secured application

may impact the security of that application. Users of

ldapugmod are expected to have full

knowledge of the organizations security policy the impact of modifying identity information in that

identity repository.

• In order to support non-interactive use of the

ldapugmod command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED

environment variables. To prevent exposure of these environment variables, they should be unset

after use.

Note also that shells (4) command history log may contain copies of the executed commands that show

setting of these variables. Access to a shell’s history ﬁle must be protected. Speciﬁcation of the LDAP

administrator’s credentials on the command line is not allowed since information about the currently

6 Hewlett-Packard Company − 6 − HP-UX 11i v3: June 2010 Web Release