Installing And Configuring
Configure
aci:(targetattr =”objectlassnispublickeynissecretkey”) (version 3.0;acl “Allow keyadmin to change key pairs”; allow (read,write,compare)
userdn=“ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com”;)
Setting ACI for a User
The default ACI of Netscape Directory Server 6.11 allows a user to change his own nispublickey and nissecretkey attributes. For Netscape Directory Server 6.21, you need to set up ACI which gives a user permission to change his own nissecretkey and nispublickey attributes. Use the Netscape Console or ldapmodify to set up ACI for a user.
An Example
The following ACI gives a user permission to change his own nissecretkey and nispublickey attributes for user keys:
dn:ou=People,dc=org,dc=hp,dc=com
aci:(targetattr =”nissecretkeynispublickey”)(version 3.0; acl “Allow key self modification”;allow (write)
(userdn = “ldap:///self”);)
Configuring serviceAuthenticationMethod
serviceAuthenticationMethod is a newly supported attribute of the configuration profile, /opt/ldapux/ldapux_profile.ldif. It’s function is the same as authenticationMethod, but it allows authentication configuration for specific name services. The serviceAuthenticationMethod attribute is created to resolve issues that may arise when the default authentication method is not considered secure enough for specific name services. For example, if the default authenticationMethod is configured as NONE then the newkey and chkey commands would not know how to properly bind to the directory server when changing or adding key pairs.
To perform newkey and chkey operations,
50 | Chapter 2 |