03-09-2012
IBM directory server - how to restrict AIX client access to read-only
Hello all,
I am using IBM Directory Server (as a part of AIX7 extension pack) in an AIX environment.
To set up the server I use command:
mksecldap -s -a cn=admin -p PWD -S RFC2307AIX -d o=COMPANY -u NONE
Then, to set up IDS clients I use the following (I have 2 mutually replicating servers aixldapsrv1 and aixldapsrv2) :
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=admin -p PWD
Also, I do necessary changes in /etc/security/user and other files to make the rsh/rlogin/ssh authentication to check AIX user/password against LDAP content.
Things work smoothly at this point.
However, any user on a host which is an LDAP client being logged in as "root", can remove, change, create users in the LDAP "domain".
I would like to restrict this capability to a root user logged to a specific host, or specific hosts (not all hosts that are LDAP clients).
I thought maybe there exist some way of establishing a dedicated "read-only" pseudo-administrator user with the dn like "cn=roadmin", and thus the LDAP client initialization would look like:
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=roadmin -p PWD
But how to create such a readonly admin on the LDAP server? Is it possible at all or I should be looking for the solution in some other place?
any suggestion is very much appreciated!
Myaso
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hi All,
It will be very great if you can help me in this issue. Thanks in advance.
I need to enable FTP on a solaris9 server. I need to create a new user some "xxxxxx" and he can only FTP the files to and from between /tftpboot directory and network devices. Other users should not... (8 Replies)
Discussion started by: santhoshkumar_d
8 Replies
2. AIX
Hi,
I want to setup Thinclient server-clinet in AIX. How I can do that?
In linux I do it with LTSP. Can LTSP works with AIX?
Thanks
Neelesh (2 Replies)
Discussion started by: neel.gurjar
2 Replies
3. AIX
Hi All,
I am basically new to this forum as well as AIX. To share some huge files between 2 servers I thought of creating a shared Directory in my AIX machine to access it in Solaris. I am very new to this AIX. Help me out how can u share a directory in AIX to access (mount) it on Solaris.
Hope... (2 Replies)
Discussion started by: babuchoudary_g
2 Replies
4. AIX
Hi,
I want to know whether IBM AIX can be installed on the IBM e series and x series server hardware?
Thanks & Regards
Arun (2 Replies)
Discussion started by: Arun.Kakarla
2 Replies
5. AIX
Hi,
I am trying to mount a nfs folder from AIX client to Linux NFS Server, but I got the following error:
# mount 128.127.11.121:/aix /to_be_del
mount: 1831-010 server 128.127.11.121 not responding: RPC: 1832-018 Port mapper
failure - RPC: 1832-008 Timed out
mount: retrying... (1 Reply)
Discussion started by: victorcheung
1 Replies
6. Solaris
We want to disable graphical logins on our Solaris 10(64bit sparc )boxes, but I haven't found any information on how to do it via google. Most likely I am using the wrong search terms (i've been looking for "xdmcp" and "x11" "disable") .
While looking through the output of "svcs -a | grep... (3 Replies)
Discussion started by: the.gooch
3 Replies
7. Solaris
Hi,
I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server.
On the NFS Server, in /etc/dfs/, I added following line to dfstab file.
& then ran the following
On the client machine, while running the mount command, I am... (0 Replies)
Discussion started by: SunilB2011
0 Replies
8. Red Hat
Hi,
I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server.
On the NFS Server, in /etc/dfs/, I added following line to dfstab file.
share -F nfs -o rw /var/share
& then ran the following
svcadm -v enable -r... (3 Replies)
Discussion started by: SunilB2011
3 Replies
9. UNIX for Beginners Questions & Answers
I need to know how to restrict the ftpusers within their home directory in AIX 7.1
For example for ftpuser nonoftp I have tried putting this entry to /etc/ftpaccess.ctl and refreshed inetd but the directory listing unsuccessful error comes with the entry. Without the ftpaccess.ctl file ftp users... (2 Replies)
Discussion started by: pregmi
2 Replies
10. AIX
I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users.
The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd... (14 Replies)
Discussion started by: linuxsnake
14 Replies
LEARN ABOUT DEBIAN
afp_ldap.conf
AFP_LDAP.CONF(5) Netatalk 2.2 AFP_LDAP.CONF(5)
NAME
afp_ldap.conf - Configuration file used by afpd(8) to configure a LDAP connection to an LDAP server. That is needed for ACL support in
order to be able to query LDAP for UUIDs.
DESCRIPTION
/etc/netatalk/afp_ldap.conf is the configuration file used by afpd to set up an LDAP connection to an LDAP server.
Any line not prefixed with # is interpreted.
Note
You can use afpldaptest(1) to syntactically check your config
The required parameters and their meanings are:
PARAMETER
ldap_server
Name or IP address of your LDAP Server
ldap_auth_method
Authentication method: none | simple | sasl
none
anonymous LDAP bind
simple
simple LDAP bind
sasl
SASL. Not yet supported !
ldap_auth_dn
Distinguished Name of the user for simple bind.
ldap_auth_pw
Distinguished Name of the user for simple bind.
ldap_userbase
DN of the user container in LDAP.
ldap_userscope
Search scope for user search: base | one | sub
ldap_groupbase
DN of the group container in LDAP.
ldap_groupscope
Search scope for user search: base | one | sub
ldap_uuuid_attr
Name of the LDAP attribute with the UUIDs.
Note: this is used both for users and groups.
ldap_name_attr
Name of the LDAP attribute with the users short name.
ldap_group_attr
Name of the LDAP attribute with the groups short name.
EXAMPLES
Example. afp_ldap.conf setup with simple bind
ldap_server = localhost
ldap_auth_method = simple
ldap_auth_dn = cn=admin,dc=domain,dc=org
ldap_auth_pw = notthisone
ldap_userbase = ou=users,dc=domain,dc=org
ldap_userscope = one
ldap_groupbase = ou=groups,dc=domain,dc=org
ldap_groupscope = one
ldap_uuid_attr = some_attribute
ldap_name_attr = cn
ldap_group_attr = cn
SEE ALSO
afpd(8), AppleVolumes.default(5), afpldaptest(1)
Netatalk 2.2 30 Mar 2011 AFP_LDAP.CONF(5)