HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

471

472

473

474

475

476

477

478

479

480

ldapugadd(1M) ldapugadd(1M)

All LDAP-UX default template ﬁles will be stored in the

/etc/opt/ldapux/ug_templates

direc-

tory.

A full or relative path name must begin with either the slash (

/) or dot (.) characters. If unspeciﬁed,

either of the following default template ﬁle will be used:

•

/etc/opt/ldapux/ug_templates/ug_passwd_default.tmpl

,or

•

/etc/opt/ldapux/ug_templates/ug_group_default.tmpl

Binding to the Directory Server

ldapugadd has been designed to take advantage of the existing LDAP-UX conﬁguration for determining

to which directory server to bind and how to perform the bind operation.

ldapugadd will consult the

LDAP-UX conﬁguration proﬁle for the following information:

• The list of LDAP directory server hosts.

• The authentication method (simple passwords, SASL Digest MD5, etc.)

If either of the environment variables

LDAP_BINDDN

or LDAP_BINDCRED have not been speciﬁed,

ldapugadd will also consult the LDAP-UX conﬁguration for additional information:

• The type of credential (user, proxy or anonymous) to use.

• The credential used for binding as a proxy user (either /etc/opt/ldapux/acred

for administra-

tive users or

/etc/opt/ldapux/pcred

for non-privileged users.)

As with LDAP-UX,

ldapugadd will attempt to contact the ﬁrst available directory server as deﬁned in

the LDAP-UX host list. As soon as a connection is established, further directory servers on the host list will

not be contacted. Once connected, ldapugadd will ﬁrst determine if the environment variables

LDAP_BINDDN or LDAP_BINDCRED have been speciﬁed. If both are speciﬁed, then

ldapugadd will

attempt to bind to the directory server using the speciﬁed credentials and conﬁgured LDAP-UX authentica-

tion method.

If either of the above mentioned environment variables have not been speciﬁed, then

ldapugadd will

determine if the conﬁgured credential type is "proxy" and if so, attempt to bind to the directory server using

the conﬁgured LDAP-UX proxy credential. If conﬁgured, the acred proxy credential will be used for admin-

istrative users (determined if the user running

ldapugadd has enough privilege to read the

/etc/opt/ldapux/acred

ﬁle). Otherwise the credential conﬁgured in

/etc/opt/ldapux/pcred

will be used.

Note, to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password may

not be speciﬁed as command-line options to the

ldapugadd utility.

Security Considerations

• Use of ldapugadd requires permissions of an LDAP administrator when it performs its operations on

the directory server. The rights to create new LDAP directory entries under the requested subtree,

along with creation of the required attributes in that entry must be granted to the LDAP administrator

identity that is speciﬁed when executing ldapugadd .

• As with any POSIX-type identity, the HP-UX operating system uses the speciﬁed user and group ID

number to determine rights and capabilities in the OS as well as in the ﬁle system.

For example, the root user ID 0, typically has unlimited OS administration and ﬁle access rights. Before

creating a new entry, be aware of the selected user and group ID number and any policy that may be

associated with that ID.

• If ldapugadd is used to randomly assign a user or group ID number, it only checks for ID collisions

found in the LDAP directory server, and not other policy repositories. When setting user and group ID

number ranges (-D option with either -u or -g) be sure to set a range that is not used by other user or

group ID repositories, to assure collisions would not occur with existing users or groups that exist in

other repositories.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy. Users of ldapugadd are expected to have full knowledge

of the impact to the organization’s security policy when adding new identity information to that identity

repository.

• In order to support non-interactive use of the ldapugadd command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED

environment variables. To prevent exposure of these environment variables, they should be unset after

use.

HP-UX 11i Version 2: December 2007 Update − 9 − Hewlett-Packard Company 471