04-08-2009
of course and as usual, it depend ...
I'm in an heterogenous environment, windows, solaris linux.
Adding unix schema to the corporate AD sounded to risky for management ...
There was a first attempt of synchronization done using openlad and kerberos but logs where full of error messages.
The main advantage of using a sun directory services is that you just need a unixproxy account from the AD administrators, after that your on the road.
you can manage nfs automount as well, works with redhat clients too...
I'm actually working on a per user/server access restriction so that Dev guy's can't log onto QA servers until they are granted from the ldap server...
I'll have to look if in the 6.3.1 pkg version they have included the identity sync tool !
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Has anyone successfully authenticated unix users via Active Directory using
LDAP client on AIX v5.2 or v5.3?? ldapsearch from our unix box retrieves
info from AD but having trouble authenticating unix id when I logon - get a msg ': 3004-318 Error obtaining the user's password information'. Not... (0 Replies)
Discussion started by: DANNYC
0 Replies
2. AIX
Hello,
I am trying to configure an AIX machina to authenticate against a Windows 2003 AD, and I am desesperately trying to find the ldap.client lpp
in the internet.
I am using AIX 5.3 and I don't have access to the DVD media,
please help!
Thankyou,
Tiago (2 Replies)
Discussion started by: tiagoskid
2 Replies
3. Solaris
Hi All,
I am getting one strange problem of empty LDAP_client_ file. There was one /var 100% overload issue few days back. After that we are observing this new issue.
I got to know about similar issue SunSolve Bug ID 6495683 - “LDAP client files & cred files are deleted when /var is full”... (1 Reply)
Discussion started by: ailnilanjan
1 Replies
4. Solaris
Configure ldap client:
I have configured my ldapclient with the AuthenticationMethod=simple and with the credentialLevel=proxy. However, as soon as i want to set the AuthenticationMethod=sasl/GSSAPI, and credentiallevel=self, then it fails to configure. Kerberos is already setup successfully. The... (0 Replies)
Discussion started by: Henk Trumpie
0 Replies
5. UNIX for Advanced & Expert Users
Hello,
I'm new to Centos and to openldap. I am by trade a Solaris Admin. I'm experimenting with openldap and thought Linux would be easier to install and setup openldap on, so far this is true. The problem I'm having is that I can't get the client server to authenticate to the openldap server. I... (1 Reply)
Discussion started by: bitlord
1 Replies
6. UNIX and Linux Applications
Hi everyone,
I am not that familiar with LDAP advanced contents. But since it is a popular secure tool for authentication, I preferred to user RedHat LDAP. The organization has 5 organizational units. There are 3 client servers and I want to limit each client to access different users.
So, I... (3 Replies)
Discussion started by: royalliege
3 Replies
7. AIX
Hi,
I am trying to authenticate AIX server against a IDS LDAP instance.
The AIX version is 6.1 and TDS client is 6.1.
I configured the secldapclntd using ldap.cfg file and changed /etc/security/user to set SYSTEM=LDAP, registry=LDAP for one user. Below are the ldap.cfg configurations -
... (5 Replies)
Discussion started by: vs1
5 Replies
8. AIX
I have been able to configure on an AIX 5.2 ldap.cfg so service starts correctly.
but when I try to log on with a windows user after entering the password login hangs and get no response.
I have set it up on Aix 5.3 with no problem but in Aix 5.2 I have not been able to log in.
ldap.cfg... (1 Reply)
Discussion started by: laxtnog
1 Replies
9. Solaris
How do i install ldap server and client in solaris server
how to configure ldap server and client
please help me (1 Reply)
Discussion started by: ainstin
1 Replies
10. Solaris
I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful.
The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies
LEARN ABOUT MINIX
krb5_auth_rules
krb5_auth_rules(5) Standards, Environments, and Macros krb5_auth_rules(5)
NAME
krb5_auth_rules - Overview of Kerberos V5 authorization
DESCRIPTION
When a user uses kerberized versions of the ftp, rdist, rcp, rlogin, rsh, or telnet clients to connect to a server, even if the user's
claimed Kerberos V5 identity is authenticated, the user is not necessarily authorized. Authentication merely proves that the user is "who
he says he is" to the Kerberos V5 authentication system. Authorization also needs to be done, since it determines if that Kerberos identity
is permitted to access the Solaris user account that the client wants to access.
Each user may have a private authorization list in a file ~/.k5login in his login directory (on the server). Each line in this file should
contain a Kerberos principal name of the form principal/instance@realm. If the server finds a ~/.k5login file, then access is granted to
the account if and only if the originating user is authenticated to one of the principals named in the ~/.k5login file.
If there is no ~/.k5login file, the originating user will then be checked against the gsscred table (see gsscred(1M)). If the originating
user's Kerberos V5 identity is in the gsscred table, and if the UNIX user id in the gsscred table corresponds to the user account the
client is trying access, then the originating user is granted access to the account on the server. If the UNIX user id does not match, then
the originating user is denied access.
For example, suppose the originating user has a principal name of jdb@ENG.ACME.COM and the target account is jdb-user. If jdb@ENG.ACME.COM
appears in the gsscred table with uid 23154 and if jdb-user appears in the user account database (see passwd(4)) with uid 23154, then
access to account jdb-user is granted. Of course, normally, the target account name in this example would be jdb and not jdb-user.
Finally, if there is no ~/.k5login file and if the originating user's Kerberos V5 identity is not in the gsscred table, then the user will
be granted access to the account if and only if all of the following are true:
o The user part of the authenticated principal name is the same as the target account name specified by the client.
o The realm part of the client and server are the same.
o The target account name exists on the server.
For example, if the originating user has a principal name of jdb@ENG.ACME.COM and if the server is in realm SALES.ACME.COM, then even if
jdb is a valid account name on the server, the client would be denied access. This is because the realms SALES.ACME.COM and ENG.ACME.COM
differ.
FILES
~/.k5login Per user-account authorization file.
/etc/passwd System account file. This information may also be in a directory service. See passwd(4).
ATTRIBUTES
See attributes(5) for a description of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO
ftp(1), rcp(1), rdist(1), rlogin(1), rsh(1), telnet(1), gsscred(1M), passwd(4), attributes(5), gss_auth_rules(5)
NOTES
To avoid security problems, the ~/.k5login file must be owned by the remote user.
SunOS 5.10 13 Apr 2004 krb5_auth_rules(5)