HP-UX Reference (11i v2 07/12) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

491

492

493

494

495

496

497

498

499

500

ldapugmod(1M) ldapugmod(1M)

Binding to the Directory Server

ldapugmod has been designed to take advantage of the existing LDAP-UX conﬁguration for determining

to which directory server to bind and how to perform the bind operation.

ldapugmod will consult the

LDAP-UX conﬁguration proﬁle for the following information:

• The list of LDAP directory server hosts.

• The authentication method (simple passwords, SASL Digest MD5, etc.)

If either of the environment variables

LDAP_BINDDN

or LDAP_BINDCRED have not been speciﬁed,

ldapugmod will also consult the LDAP-UX conﬁguration for additional information:

• The type of credential (user, proxy or anonymous) to use.

• The credential used for binding as a proxy user (either

/etc/opt/ldapux/acred

for administra-

tive users or

/etc/opt/ldapux/pcred

for non-privileged users.)

As with LDAP-UX,

ldapugmod will attempt to contact the ﬁrst available directory server as deﬁned in

the LDAP-UX host list. As soon as a connection is established, further directory servers on the host list will

not be contacted.

Once connected, ldapugmod will ﬁrst determine if the environment variables LDAP_BINDDN and

LDAP_BINDCRED have been speciﬁed. If so, then

ldapugmod will attempt to bind to the directory

server using the speciﬁed credentials and conﬁgured LDAP-UX authentication method. If the above men-

tioned environment variables have not been speciﬁed, then

ldapugmod will determine if the conﬁgured

credential type is "proxy" and if so, attempt to bind to the directory server using the conﬁgured LDAP-UX

proxy credential.

If conﬁgured, the acred proxy credential will be used for administrative users (determined if the user run-

ning ldapugmod has enough privilege to read the /etc/opt/ldapux/acred

ﬁle). Otherwise the

credential conﬁgured in

/etc/opt/ldapux/pcred

will be used.

Note, to prevent discovery of the LDAP administrator’s credentials, the LDAP user DN and password may

not be speciﬁed as command-line options to the

ldapugmod utility.

Security Considerations

• Use of ldapugmod requires permissions of an LDAP administrator when it performs its operations on

the directory server. The rights to modify existing LDAP directory entries under the requested subtree,

along with creation, modiﬁcation and removal of the required attributes in that entry must be granted

to the administrator identity that is speciﬁed when executing

ldapugmod.

• Note that as with any POSIX-type identity, the user and group ID number speciﬁed is used by the HP-

UX operating system to determine rights and capabilities in the OS as well as in the ﬁle system.

For example, a the root user ID 0, typically has unlimited OS administration and ﬁle access rights.

Before modifying an entry, be aware of the selected user and group ID number and any policy that may

be associated with that ID.

• Modiﬁcation (renaming) of a POSIX account will not automatically modify that account’s membership in

groups, unless that capability is intrinsically provided by the directory server.

Note some directory servers have a feature known as "referential integrity," which does perform

modiﬁcation/removal of DN-type attributes if the speciﬁed DN is either changed or removed.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organizations security policy. Users of

ldapugmod are expected to have full knowledge

of the organizations security policy the impact of modifying identity information in that identity reposi-

tory.

• As would occur in any identity repository, modiﬁcation of this repository will likely have impacts as

deﬁned by the organization’s security policy.

For example, adding a new user with an user ID number shared with that of a secured application may

impact the security of that application. Users of ldapugmod are expected to have full knowledge of

the organizations security policy the impact of modifying identity information in that identity repository.

• In order to support non-interactive use of the ldapugmod command, speciﬁcation of the LDAP

administrator’s credentials is required through use of the LDAP_BINDDN and LDAP_BINDCRED

environment variables. To prevent exposure of these environment variables, they should be unset after

use.

494 Hewlett-Packard Company − 6 − HP-UX 11i Version 2: December 2007 Update