Installing And Configuring LDAP-UX Client Services

Configure LDAP-UX Client Services with Publickey Support

aci:(targetattr =”objectlassnispublickeynissecretkey”) (version 3.0;acl “Allow keyadmin to change key pairs”; allow (read,write,compare)

userdn=“ldap:///uid=keyadmin,ou=people,dc=org,dc=hp,dc=com”;)

Setting ACI for a User

The default ACI of Netscape Directory Server 6.11 allows a user to change his own nispublickey and nissecretkey attributes. For Netscape Directory Server 6.21, you need to set up ACI which gives a user permission to change his own nissecretkey and nispublickey attributes. Use the Netscape Console or ldapmodify to set up ACI for a user.

An Example

The following ACI gives a user permission to change his own nissecretkey and nispublickey attributes for user keys:

dn:ou=People,dc=org,dc=hp,dc=com

aci:(targetattr =”nissecretkeynispublickey”)(version 3.0; acl “Allow key self modification”;allow (write)

(userdn = “ldap:///self”);)

Configuring serviceAuthenticationMethod

serviceAuthenticationMethod is a newly supported attribute of the configuration profile, /opt/ldapux/ldapux_profile.ldif. It’s function is the same as authenticationMethod, but it allows authentication configuration for specific name services. The serviceAuthenticationMethod attribute is created to resolve issues that may arise when the default authentication method is not considered secure enough for specific name services. For example, if the default authenticationMethod is configured as NONE then the newkey and chkey commands would not know how to properly bind to the directory server when changing or adding key pairs. LDAP-UX only supports the serviceAuthenticationMethod attribute for the keyserv service, since the keyserv service is the only one that currently needs modification of privileges in the directory server.

To perform newkey and chkey operations, LDAP-UX binds the Admin Proxy user to the LDAP directory using the authentication method specified in serviceAuthenticationMethod. LDAP-UX only supports serviceAuthenticationMethod for keyserv. Any other services configured in serviceAuthenticationMethod will be ignored.

50

Chapter 2

Page 64
Image 64
HP UX LDAP-UX Integration Software manual Configuring serviceAuthenticationMethod, Setting ACI for a User