HP UX LDAP-UX Integration Software manual Configure Your Directory

Page 36

Installing And Configuring LDAP-UX Client Services

Configure Your Directory

With Netscape Directory Server for HP-UX, you can use the Netscape Console or ldapmodify to set up access control instructions (ACI) so ordinary users cannot change these attributes in their passwd entry in the directory.

The following access control instruction is by default at the top of the directory tree for a 6.x Netscape directory. This ACI allows a user to change any attribute in their passwd entry:

aci: (targetattr = “*”) (version 3.0; acl “Allow self entry modification”; allow (write)userdn = “ldap:///self”;)

You could modify this example ACI to the following, which prevents ordinary users from changing their uidnumber, gidnumber, homedirectory, and uid attributes:

aci: (targetattr != “uidnumber gidnumber homedirectory uid”) (version 3.0; acl “Allow self entry modification, except for important posix attributes”; allow (write)userdn = “ldap:///self”;)

You may have other attributes you need to protect as well.

To change an ACI with the Netscape Directory Console, select the Directory tab, select your directory suffix in the left-hand panel, then select the Object: Set Access Permissions menu item. In the dialog box, select the “Allow self entry modification” ACI and click OK. Use the Set Access Permissions dialog box to modify the ACI. See “Managing Access Control” in the Netscape Directory Server Administrator’s Guide for complete details.

Step 3. Restrict write access to certain group (posixGroup) attributes of the posix schema.

Grant write access of the cn, memberuid, gidnumber, and userPassword attributes only to directory administrators; disallow write access by all other users.

With Netscape Directory Server for HP-UX, you can use the Netscape Console or ldapmodify to set up access control lists (ACL) so ordinary users cannot change these attributes in the posixGroup entry in the directory. For example, the following ACI, placed in the directory at ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify entries below ou=groups,ou=unix,o=hp.com:

aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, o=hp.com");)

22

Chapter 2

Page 35 Page 37
Image 36
Page 35 Page 37
Contents Edition Manufacturing Part Number J4269-90071 E0207Legal Notices Contents Administering LDAP-UX Client Services Command and Tool Reference User Tasks Tables Viii Figures Figures Intended Audience New and Changed Documentation in This EditionPublishing History What’s in This documentXiii Typographical Conventions HP Encourages Your CommentsOverview of LDAP-UX Client Services ChapterOverview of LDAP-UX Client Services Simplified NIS EnvironmentHow LDAP-UX Client Services Works Traffic from replica updatesSimplified LDAP-UX Client Services Environment IntroductionExamples of Commands and Subsystems Commands that use Commands that use PAMThat use PAM and NSS Login, ftpd Ls, who Overview of LDAP-UX Client Services Local Start-up File and the Configuration Profile Overview of LDAP-UX Client Services Chapter LDAP-UX Client Services Before You BeginSummary of Installing and Configuring Summary of Installing and ConfiguringOptionally modify the /etc/opt/ldapux/pamauthz.policy Plan Your Installation Plan Your InstallationStill log in to the system Share user names and passwords with other applications, Example Directory Structure Plan Your Installation Plan Your Installation Section must be set to yes. If the start option is enabled, Plan Your Installation Install LDAP-UX Client Services on a Client Install LDAP-UX Client Services on a ClientConfigure Your Directory Configure Your DirectoryStep Configure Your Directory Grant read access of all attributes of the posix schema Configure Your Directory Import Name Service Data into Your Directory Import Name Service Data into Your DirectorySteps to Importing Name Service Data into Your DirectoryConfigure the LDAP-UX Client Services Configure the LDAP-UX Client ServicesConfigure the LDAP-UX Client Services Quick Configuration Required to start the services Simple Sasl DIGEST-MD5 Configuration Parameter Default Values Configure the LDAP-UX Client Services Custom Configuration Specify up to three directory hosts, to be searched in order Specify the service you want to map? Specify the attribute you want to map You type 0 to exit this menu for the following question Answer Y instead of the default N For the question You want to create a custom search descriptor for Configure the LDAP-UX Client Serivces with SSL Support Configure the LDAP-UX Client Serivces with SSL SupportConfiguring the LDAP-UX Client to Use SSL Steps to Download the CA Certificate from Mozilla BrowserMail users, and Trust the CA to identify software developers Steps to create database files using the certutil utility Use the rm command to remove the old database filesConfigure the LDAP-UX Client Serivces with SSL Support Configure LDAP-UX Client Services with Publickey Support Configure LDAP-UX Client Services with Publickey SupportEnhanced Publickey-LDAP Software for HP-UX 11i v1 or JuneOctober Extending the Publickey Schema into Your Directory Admin Proxy UserConfiguring an Admin Proxy User Using ldapproxyconfig Setting ACI for Key Management Password for an Admin Proxy UserSetting ACI for an Admin Proxy User An ExampleConfiguring serviceAuthenticationMethod Setting ACI for a UserAuthentication Methods Procedures Used to Configure serviceAuthenticationMethodServiceAuthenticationMethodkeyservsasl/digest-md5 Configuring Name Service Switch Configure LDAP-UX Client Services with Publickey Support Automount Schemas AutoFS SupportAutoFS Patch Requirement AutoFS SupportNew Automount Schema SchemaAn Example NisObject Automount Schema Obsolete Automount Schema Removing The Obsolete Automount SchemaLimitations Attribute Mappings Attribute Mappings New Automount Attribute NisObject AutomountAutoFS Migration Scripts Migration Scripts DescriptionEnvironment Variables Examples General Syntax For Migration ScriptsMigrateautomount.pl Script SyntaxAutoFS Support Migratenisautomount.pl Script Following shows the /tmp/autoindirect.ldif fileMigratenispautofs.pl Script Following shows the nispautomap.ldif fileVerify the LDAP-UX Client Services Verify the LDAP-UX Client ServicesMaking sure the output is as expected Verify the LDAP-UX Client Services #cat /etc/nsswitch.conf Configure Subsequent Client Systems Configure Subsequent Client SystemsChange the current configuration Download the Profile Periodically Download the Profile PeriodicallyCrontab crontab.profile Use r-command for Pamldap Use r-command for Pamldap#passwordas = Password, and turning on the rcommand option for pamldap Use r-command for Pamldap Chapter Ldap Printer Configurator Overview DefinitionsOverview System How the Ldap Printer Configurator works How the Ldap Printer Configurator worksSystem administrator manually adds or removes printers to Printer Configurator Architecture Printer Configuration Parameters Printer Configuration ParametersPrinter Schema Printer SchemaAn Example Printer Schema Managing the LP printer configuration Managing the LP printer configurationExample Managing the LP printer configuration Managing the LP printer configuration Limitations of Printer Configurator Limitations of Printer ConfiguratorLimitations of Printer Configurator Chapter Administering LDAP-UX Client Using The LDAP-UX Client Daemon Using The LDAP-UX Client DaemonOverview Ldapclientd Starting the clientControlling the client Client Daemon performanceCommand options DiagnosticsMissing settings Ldapclientd.confConfiguration file syntax Opt/ldapux/config/setup Using The LDAP-UX Client Daemon 100 Chapter 101 102 Chapter 103 Configuration File Integrating with Trusted Mode Features and LimitationsIntegrating with Trusted Mode AuditingPassword and Account Policies PAM Configuration File OthersChapter 107 Configuration Parameter Pamauthz Login Authorization Enhancement Policy And Access RulesPamauthz Login Authorization Enhancement Chapter 109How Login Authorization Works Pamauthz EnvironmentPolicy File Chapter 111Constructing an Access Rule in pamauthz.policy Fields in an Access RuleField Syntax in an Access Rule ActiontyperuleChapter 113 No value is required ActionChapter 115 116 Policy Validator Chapter 117Adding a Directory Replica Adding a Directory ReplicaAn Example of /etc/opt/ldapux/pamauthz.policy File Displaying the Proxy User’s DN Displaying the Proxy User’s DNChapter 119 Verifying the Proxy User Creating a New Proxy UserExample Verifying the Proxy UserDisplaying the Current Profile Creating a New ProfileDisplaying the Current Profile Chapter 121Changing Which Profile a Client Is Using Modifying a ProfileModifying a Profile Changing from Anonymous Access to Proxy AccessChanging from Proxy Access to Anonymous Access Changing from Anonymous Access to Proxy AccessChanging from Proxy Access to Anonymous Access Performance Considerations Minimizing Enumeration RequestsPerformance Considerations Chapter 125Client Daemon Performance Ldapclientd CachingClient Daemon Performance Map Name Benefits Example Side-Effect Chapter 127128 Chapter 129 Ldapclientd Persistent Connections Troubleshooting TroubleshootingEnabling and Disabling LDAP-UX Logging Chapter 131Enabling and Disabling PAM Logging TIPNetscape Directory Server Log Files User Cannot Log on to Client SystemChapter 133 134 You should get output like the following Chapter 135136 Command and Tool Reference Chapter 137LDAP-UX Client Services Components LDAP-UX Client Services ComponentsLDAP-UX Client Services Components Description LDAP-UX Client Services Components Component DescriptionChapter 139 LDAP-UX Client Services Libraries on the HP-UX 11.0 or 11i PA machine Files DescriptionLDAP-UX Client Services Libraries on the HP-UX 11i v2 PA Machine Files DescriptionChapter 141 LDAP-UX Client Services Libraries on the HP-UX 11i v2 IA Client Management Tools Createprofileentry ToolCreateprofilecache Tool Client Management ToolsCreateprofileschema Tool Displayprofilecache ToolGetprofileentry Tool Chapter 145Ldapproxyconfig Tool Getprofileentry -s NSSFile Chapter 147148 Chapter 149 Beq Search Tool SyntaxBeq Search Tool Examples Chapter 151152 Uid2dn Tool Chapter 153Ldap Directory Tools Getattrmap.pl ToolLdap Directory Tools Ldapentry Chapter 155156 Ldapsearch Chapter 157Ldapmodify Ldapdelete Certutil Adding One or More Users Adding One or More UsersChapter 159 Name Service Migration Scripts Name Service Migration ScriptsDefault Naming Context Naming ContextMigrating All Your Files Migrating Individual FilesChapter 161 General Syntax for Perl Migration Scripts Migration ScriptsMigration Scripts Script Name Description Script Name Description Chapter 163164 Chapter 165 Ldappasswd Command Ldappasswd CommandChapter 167 168 To Change Passwords Chapter 169To Change Passwords Cannot Change Passwords on Replica ServersChapter 171 172 To Change Personal Information To Change Personal InformationChapter 173 174 Mozilla Ldap C SDK Chapter 175176 Mozilla Ldap C SDK File Components Mozilla Ldap C SDK File ComponentsMozilla Ldap C SDK File Components on the PA machine Files DescriptionMozilla Ldap C SDK File Components on the IA machine Chapter 179 Mozilla Ldap C SDK API Header Files Header Files DescriptionChapter 181 182 Table A-1 LDAP-UX Client Services Configuration Worksheet Appendix a 183Appendix a Appendix a 185 186 Classes Appendix B 187Profile Attributes Profile AttributesAppendix B Appendix B 189 190 file Appendix C 191Sample /etc/pam.ldap.trusted file Appendix CAppendix C 193 194 PAM Authorization Service Module GlossaryLdap Data Interchange Format Ldif Glossary 195Slapd GlossarySymbols IndexNIS, 2, 12, 15 Pwget, 4, 69 200
Related manuals
Manual 26 pages 60.39 Kb Manual 65 pages 7.83 Kb
Top Page Image Contents