HP UX LDAP-UX Integration Software manual Setting ACI for Key Management, An Example

Installing And Configuring LDAP-UX Client Services

Configure LDAP-UX Client Services with Publickey Support

Password for an Admin Proxy User

In order to protect user’s secret keys in the LDAP directory, the secret keys are encrypted using the user’s password. This process is used in NIS as well as NIS+ environments. The host’s secret key must also be encrypted. Since the host itself does not have its own password, root’s password is used to encrypt the host’s secret key. The chkey or newkey command prompts for root’s password when changing or adding a key for a host. For this reason, you may wish to configure the Admin Proxy user in the LDAP directory to have the same password as the root user on the master host. Although it is not required that the Admin Proxy user and root user share the same password, it allows you to avoid storing the Admin Proxy user’s password in the /etc/opt/ldapux/acred file. In such case, when you run the ldap_proxy_config -A-icommand to configure the Admin Proxy user, you enter only Admin Proxy user’s DN without the password. LDAP-UX will use the root’s password given to the chkey and newkey commands as the Admin Proxy user’s password to perform public key operations. However, the ldap_proxy_config -A-vcommand will not be able to validate the Admin Proxy user because no password is available to ldap_proxy_config. As a result, the message "No password is provided. Validation is not performed” will be displayed.

Setting ACI for Key Management

Before storing public keys in an LDAP server, LDAP administrators may wish to update their LDAP access controls such that users can manage their own keys, and the Admin Proxy user can manage host keys. This section describes how you set up access control instructions (ACI) for an Admin Proxy user or a user.

Setting ACI for an Admin Proxy User

With Netscape Directory Server 6.11 and 6.21, you can use the Netscape Console or ldapmodify to set up ACI, which gives an Admin Proxy user permissions to manage host and user keys in the LDAP directory.

An Example

The following ACI gives the permissions for the Admin Proxy user uid=keyadmin to read, write, and compare nissecretkey and nispublickey attributes for hosts and users:

dn:dc=org,dc=hp,dc=com