IBM directory server - how to restrict AIX client access to read-only Post: 302606125

Sponsored Content

Top Forums UNIX for Advanced & Expert Users IBM directory server - how to restrict AIX client access to read-only Post 302606125 by Myaso on Friday 9th of March 2012 03:30:00 PM

03-09-2012

Registered User

IBM directory server - how to restrict AIX client access to read-only

Hello all,

I am using IBM Directory Server (as a part of AIX7 extension pack) in an AIX environment.
To set up the server I use command:
mksecldap -s -a cn=admin -p PWD -S RFC2307AIX -d o=COMPANY -u NONE

Then, to set up IDS clients I use the following (I have 2 mutually replicating servers aixldapsrv1 and aixldapsrv2) :
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=admin -p PWD

Also, I do necessary changes in /etc/security/user and other files to make the rsh/rlogin/ssh authentication to check AIX user/password against LDAP content.
Things work smoothly at this point.

However, any user on a host which is an LDAP client being logged in as "root", can remove, change, create users in the LDAP "domain".
I would like to restrict this capability to a root user logged to a specific host, or specific hosts (not all hosts that are LDAP clients).

I thought maybe there exist some way of establishing a dedicated "read-only" pseudo-administrator user with the dn like "cn=roadmin", and thus the LDAP client initialization would look like:
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=roadmin -p PWD

But how to create such a readonly admin on the LDAP server? Is it possible at all or I should be looking for the solution in some other place?

any suggestion is very much appreciated!
Myaso

Myaso

View Public Profile for Myaso

Find all posts by Myaso

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Restrict FTP access to a single directory for only one user.

Hi All, It will be very great if you can help me in this issue. Thanks in advance. I need to enable FTP on a solaris9 server. I need to create a new user some "xxxxxx" and he can only FTP the files to and from between /tftpboot directory and network devices. Other users should not...

2. AIX

How to setup Thinclient server and client in AIX

Hi, I want to setup Thinclient server-clinet in AIX. How I can do that? In linux I do it with LTSP. Can LTSP works with AIX? Thanks Neelesh

3. AIX

How to share a directory in AIX to access from Solaris and windows?

Hi All, I am basically new to this forum as well as AIX. To share some huge files between 2 servers I thought of creating a shared Directory in my AIX machine to access it in Solaris. I am very new to this AIX. Help me out how can u share a directory in AIX to access (mount) it on Solaris. Hope...

4. AIX

IBM AIX on IBM Eseries & x series server

Hi, I want to know whether IBM AIX can be installed on the IBM e series and x series server hardware? Thanks & Regards Arun

5. AIX

can not mount from aix client to linux nfs server

Hi, I am trying to mount a nfs folder from AIX client to Linux NFS Server, but I got the following error: # mount 128.127.11.121:/aix /to_be_del mount: 1831-010 server 128.127.11.121 not responding: RPC: 1832-018 Port mapper failure - RPC: 1832-008 Timed out mount: retrying...

6. Solaris

Restrict XWindows Server Access by IP Address

We want to disable graphical logins on our Solaris 10(64bit sparc )boxes, but I haven't found any information on how to do it via google. Most likely I am using the wrong search terms (i've been looking for "xdmcp" and "x11" "disable") . While looking through the output of "svcs -a | grep...

7. Solaris

Can't access NFS Share on Solaris Server from a Linux Client

Hi, I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server. On the NFS Server, in /etc/dfs/, I added following line to dfstab file. & then ran the following On the client machine, while running the mount command, I am...

8. Red Hat

Unable to access NFS share on Solaris Server from Linux client

Hi, I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server. On the NFS Server, in /etc/dfs/, I added following line to dfstab file. share -F nfs -o rw /var/share & then ran the following svcadm -v enable -r...

9. UNIX for Beginners Questions & Answers

How to restrict ftpusers in AIX to home directory?

I need to know how to restrict the ftpusers within their home directory in AIX 7.1 For example for ftpuser nonoftp I have tried putting this entry to /etc/ftpaccess.ctl and refreshed inetd but the directory listing unsuccessful error comes with the entry. Without the ftpaccess.ctl file ftp users...

10. AIX

Samba 3.6 on AIX 7.1 - Windows 10 Access to AIX file shares using Active Directory authentication

I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users. The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd...

LEARN ABOUT OSF1

kas_delete

KAS_DELETE(8)						       AFS Command Reference						     KAS_DELETE(8)

NAME

       kas_delete - Deletes an entry from the Authentication Database

SYNOPSIS

       kas delete -name <name of user>
	   [-admin_username <admin principal to use for authentication>]
	   [-password_for_admin <admin password>] [-cell <cell name>]
	   [-servers <explicit list of authentication servers>+]
	   [-noauth] [-help]

       kas d -na <name of user>
	   [-a <admin principal to use for authentication>]
	   [-p <admin password>] [-c <cell name>]
	   [-s <explicit list of authentication servers>+] [-no] [-h]

       kas rm -na <name of user>
	   [-a <admin principal to use for authentication>]
	   [-p <admin password>] [-c <cell name>]
	   [-s <explicit list of authentication servers>+] [-no] [-h]

DESCRIPTION

       The kas delete command removes from the Authentication Database the user entry named by the -name argument. The indicated user becomes
       unable to log in, or the indicated server becomes unreachable (because the Authentication Server's Ticket Granting Service module no longer
       has a key with which to seal tickets for the server).

OPTIONS

       -name <name of user>
	   Names the Authentication Database entry to delete.

       -admin_username <admin principal>
	   Specifies the user identity under which to authenticate with the Authentication Server for execution of the command. For more details,
	   see kas(8).

       -password_for_admin <admin password>
	   Specifies the password of the command's issuer. If it is omitted (as recommended), the kas command interpreter prompts for it and does
	   not echo it visibly. For more details, see kas(8).

       -cell <cell name>
	   Names the cell in which to run the command. For more details, see kas(8).

       -servers <authentication servers>+
	   Names each machine running an Authentication Server with which to establish a connection. For more details, see kas(8).

       -noauth
	   Assigns the unprivileged identity "anonymous" to the issuer. For more details, see kas(8).

       -help
	   Prints the online help for this command. All other valid options are ignored.

EXAMPLES

       The following example shows the administrative user "admin" entering interactive mode to delete three accounts.

	  % kas
	  Password for admin:
	  ka> delete smith
	  ka> delete pat
	  ka> delete terry

PRIVILEGE REQUIRED

       The issuer must have the "ADMIN" flag set on his or her Authentication Database entry.

SEE ALSO

       kas(8), kas_create(8)

COPYRIGHT

       IBM Corporation 2000. <http://www.ibm.com/> All Rights Reserved.

       This documentation is covered by the IBM Public License Version 1.0.  It was converted from HTML to POD by software written by Chas
       Williams and Russ Allbery, based on work by Alf Wachsmann and Elizabeth Cassell.

OpenAFS 							    2012-03-26							     KAS_DELETE(8)