HP UX LDAP-UX Integration Software manual Configure Your Directory

Installing And Configuring LDAP-UX Client Services

Configure Your Directory

With Netscape Directory Server for HP-UX, you can use the Netscape Console or ldapmodify to set up access control instructions (ACI) so ordinary users cannot change these attributes in their passwd entry in the directory.

The following access control instruction is by default at the top of the directory tree for a 6.x Netscape directory. This ACI allows a user to change any attribute in their passwd entry:

aci: (targetattr = “*”) (version 3.0; acl “Allow self entry modification”; allow (write)userdn = “ldap:///self”;)

You could modify this example ACI to the following, which prevents ordinary users from changing their uidnumber, gidnumber, homedirectory, and uid attributes:

aci: (targetattr != “uidnumber gidnumber homedirectory uid”) (version 3.0; acl “Allow self entry modification, except for important posix attributes”; allow (write)userdn = “ldap:///self”;)

You may have other attributes you need to protect as well.

To change an ACI with the Netscape Directory Console, select the Directory tab, select your directory suffix in the left-hand panel, then select the Object: Set Access Permissions menu item. In the dialog box, select the “Allow self entry modification” ACI and click OK. Use the Set Access Permissions dialog box to modify the ACI. See “Managing Access Control” in the Netscape Directory Server Administrator’s Guide for complete details.

Step 3. Restrict write access to certain group (posixGroup) attributes of the posix schema.

Grant write access of the cn, memberuid, gidnumber, and userPassword attributes only to directory administrators; disallow write access by all other users.

With Netscape Directory Server for HP-UX, you can use the Netscape Console or ldapmodify to set up access control lists (ACL) so ordinary users cannot change these attributes in the posixGroup entry in the directory. For example, the following ACI, placed in the directory at ou=groups,ou=unix,o=hp.com, allows only the directory administrator to modify entries below ou=groups,ou=unix,o=hp.com:

aci: (targetattr = "*")(version 3.0;acl "Disallow modification of group entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, o=hp.com");)