03-18-2010
Access control using LDAP
Hello,
I've configurated a LDAP user authentication on AIX V6 against Active Directory (Windows Server 2008).
The Tree is built as follows:
test (DC)
|--- testgroup (group with members: user1, user2)
|
|--- sys1 (OU)
| |--- sys1group (group with member: user1)
|
|--- sys2 (OU)
| |--- sys2group (group with member: user2)
How is the LDAP Client to configurate that only members of sys1group have access to the AIX system?
I do NOT want to: - change the /etc/security/user file
- move user1 to OU sys1
I have set the groubasedn to dc=test in the ldap.cfg (not to cn=sys1group,ou=sys1,dc=test) because the testgroup should be also detected.
Is there the posibility to set a path to a group which is only used while authentication to grant access to the members?
There are also the parameters hostbasedn and authbasedn in the ldap.cfg but I don't know how to use them.
Has anyone an idea?
Thank you in advance.
10 More Discussions You Might Find Interesting
1. Filesystems, Disks and Memory
In Windows XP, there are 3 default access control groups namely: Administrators, Users and Power Users. Is there default access control groups in Unix system? If there is, what are they?
newbie. (1 Reply)
Discussion started by: zertoir
1 Replies
2. UNIX for Dummies Questions & Answers
Hi,
I was wondering if someone could help me with ACL's. I have a file, say output, created by the root user, member of group other. Its permissions are rwxr--r--. I want only people in group other to have rwx access, but I also want one other user, stephen, member of some_other_group to have rwx... (1 Reply)
Discussion started by: sroberts82
1 Replies
3. UNIX for Advanced & Expert Users
I am struggling with finding a way of securing a unix folder by controlling access to it by a LDAP Group.
In simpler terms,I am looking forward to see a username password prompt,when a specific unix folder is accessed.
That UserID and password ,should be authenticated by a secure directory (via... (1 Reply)
Discussion started by: sunmatts
1 Replies
4. Shell Programming and Scripting
Hey all, I have a directory (own by user: b; group: grpB) which I want a user (user: a; group: grpA) to be able to read and execute from, I wonder if I should add user a to this particular directory's ACL or that I would add group grpB to user a's subgroup?
I would like to know the difference... (3 Replies)
Discussion started by: mpang_
3 Replies
5. UNIX for Dummies Questions & Answers
In OS like windows, I can define an Access Control List (ACL) and specify which accounts and groups have what access to a specific file.
I assume U*X, Linux and cygwin on windows have this ACL feature too. I'm using cygwin on windows. What do I type at a bash prompt to allow a specific user... (1 Reply)
Discussion started by: siegfried
1 Replies
6. UNIX for Dummies Questions & Answers
I need to control intenet access @ work. xample. I need PC 1 to only be able to access these five sites and add to the list as needed. Can anyone pint me a direction. (1 Reply)
Discussion started by: fruiz
1 Replies
7. UNIX for Dummies Questions & Answers
Hi,
I am using eTrust Access Control at work. I have got no output after type checklogin. I wonder what is the reason. Does anyone know? Thanks
eTrustAC selang v8.00a-1555.13 - eTrustAC command line interpreter
Copyright (c) 2006 CA. All rights reserved.
eTrustAC> checklogin user1... (0 Replies)
Discussion started by: uuontario
0 Replies
8. UNIX and Linux Applications
Hi everyone,
I am not that familiar with LDAP advanced contents. But since it is a popular secure tool for authentication, I preferred to user RedHat LDAP. The organization has 5 organizational units. There are 3 client servers and I want to limit each client to access different users.
So, I... (3 Replies)
Discussion started by: royalliege
3 Replies
9. Red Hat
HI All,
Kindly help me to configure the ldap server which is used to authenticate my all cleints from usd access..I need to block all the usb access to the clients...
RHEL5.4 (1 Reply)
Discussion started by: selvaforum
1 Replies
10. Proxy Server
Dear all experts here,
:)
I would like to install a proxy server on Linux server to perform solely to control the access of Web server.
In this case, some of my vendor asked me to try Squid and I have installed it onto my Linux server.
I would like know how can I set the configuration to... (1 Reply)
Discussion started by: kwliew999
1 Replies
LEARN ABOUT DEBIAN
calife.auth
CALIFE.AUTH(5) BSD File Formats Manual CALIFE.AUTH(5)
NAME
calife.auth -- format of the calife authorization file
DESCRIPTION
The calife.auth files are files consisting of newline separated records, one per user, containing three colon (``:'') separated fields.
These fields are as follows:
name User's login name / @group.
shell User's shell
user1,user2,...,usern
List of logins allowed for the user name
The name field is the login used to access the computer account.
The login name must never begin with a hyphen (``-''); also, it is strongly suggested that neither upper-case characters or dots (``.'') be
part of the name, as this tends to confuse mailers. No field may contain a colon (``:'') as this has been used historically to separate the
fields in the user database.
One alternative syntax is to use @group to specify that any user in the given group is allowed to use calife to become root.
The shell field is the command interpreter the user prefers. If there is nothing in the shell field, the user's current shell as found in
the (/etc/passwd) file is assumed.
If the shell field is '*', then the account is considered as locked and access is denied.
If the third parameter is specified, it is assumed to be the list of login the current user has the right to become. It enables use of calife
for non-root only accounts.
calife.auth is placed in /etc.
EXAMPLE
# calife.auth-dist
#
# Format
#
# name[:shell_to_be_run][:user1,user2,usern]
#
fcb
roberto:/bin/tcsh
pb::guest,blaireau
SEE ALSO
calife(1), su(1)
HISTORY
A calife.auth file format appeared in DG/UX and SunOS, written for Antenne 2 in 1991. It has evolved with the extra shell specification. The
login list was reintroduced in 2.7.
AUTHOR
Ollivier Robert <roberto@keltia.frmug.fr.net>
BSD
September 25, 1994 BSD