Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: IBM directory server - how to restrict AIX client access to read-only
Top Forums UNIX for Advanced & Expert Users IBM directory server - how to restrict AIX client access to read-only Post 302606125 by Myaso on Friday 9th of March 2012 03:30:00 PM
Old 03-09-2012
IBM directory server - how to restrict AIX client access to read-only
Hello all,

I am using IBM Directory Server (as a part of AIX7 extension pack) in an AIX environment.
To set up the server I use command:
mksecldap -s -a cn=admin -p PWD -S RFC2307AIX -d o=COMPANY -u NONE

Then, to set up IDS clients I use the following (I have 2 mutually replicating servers aixldapsrv1 and aixldapsrv2) :
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=admin -p PWD

Also, I do necessary changes in /etc/security/user and other files to make the rsh/rlogin/ssh authentication to check AIX user/password against LDAP content.
Things work smoothly at this point.

However, any user on a host which is an LDAP client being logged in as "root", can remove, change, create users in the LDAP "domain".
I would like to restrict this capability to a root user logged to a specific host, or specific hosts (not all hosts that are LDAP clients).

I thought maybe there exist some way of establishing a dedicated "read-only" pseudo-administrator user with the dn like "cn=roadmin", and thus the LDAP client initialization would look like:
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=roadmin -p PWD

But how to create such a readonly admin on the LDAP server? Is it possible at all or I should be looking for the solution in some other place?

any suggestion is very much appreciated!
Myaso
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Restrict FTP access to a single directory for only one user.

Hi All, It will be very great if you can help me in this issue. Thanks in advance. I need to enable FTP on a solaris9 server. I need to create a new user some "xxxxxx" and he can only FTP the files to and from between /tftpboot directory and network devices. Other users should not... (8 Replies)
Discussion started by: santhoshkumar_d
8 Replies

2. AIX

How to setup Thinclient server and client in AIX

Hi, I want to setup Thinclient server-clinet in AIX. How I can do that? In linux I do it with LTSP. Can LTSP works with AIX? Thanks Neelesh (2 Replies)
Discussion started by: neel.gurjar
2 Replies

3. AIX

How to share a directory in AIX to access from Solaris and windows?

Hi All, I am basically new to this forum as well as AIX. To share some huge files between 2 servers I thought of creating a shared Directory in my AIX machine to access it in Solaris. I am very new to this AIX. Help me out how can u share a directory in AIX to access (mount) it on Solaris. Hope... (2 Replies)
Discussion started by: babuchoudary_g
2 Replies

4. AIX

IBM AIX on IBM Eseries & x series server

Hi, I want to know whether IBM AIX can be installed on the IBM e series and x series server hardware? Thanks & Regards Arun (2 Replies)
Discussion started by: Arun.Kakarla
2 Replies

5. AIX

can not mount from aix client to linux nfs server

Hi, I am trying to mount a nfs folder from AIX client to Linux NFS Server, but I got the following error: # mount 128.127.11.121:/aix /to_be_del mount: 1831-010 server 128.127.11.121 not responding: RPC: 1832-018 Port mapper failure - RPC: 1832-008 Timed out mount: retrying... (1 Reply)
Discussion started by: victorcheung
1 Replies

6. Solaris

Restrict XWindows Server Access by IP Address

We want to disable graphical logins on our Solaris 10(64bit sparc )boxes, but I haven't found any information on how to do it via google. Most likely I am using the wrong search terms (i've been looking for "xdmcp" and "x11" "disable") . While looking through the output of "svcs -a | grep... (3 Replies)
Discussion started by: the.gooch
3 Replies

7. Solaris

Can't access NFS Share on Solaris Server from a Linux Client

Hi, I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server. On the NFS Server, in /etc/dfs/, I added following line to dfstab file. & then ran the following On the client machine, while running the mount command, I am... (0 Replies)
Discussion started by: SunilB2011
0 Replies

8. Red Hat

Unable to access NFS share on Solaris Server from Linux client

Hi, I am trying to access a NFS shared directory on Solaris 10 Server from a client which is RHEL 4 Server. On the NFS Server, in /etc/dfs/, I added following line to dfstab file. share -F nfs -o rw /var/share & then ran the following svcadm -v enable -r... (3 Replies)
Discussion started by: SunilB2011
3 Replies

9. UNIX for Beginners Questions & Answers

How to restrict ftpusers in AIX to home directory?

I need to know how to restrict the ftpusers within their home directory in AIX 7.1 For example for ftpuser nonoftp I have tried putting this entry to /etc/ftpaccess.ctl and refreshed inetd but the directory listing unsuccessful error comes with the entry. Without the ftpaccess.ctl file ftp users... (2 Replies)
Discussion started by: pregmi
2 Replies

10. AIX

Samba 3.6 on AIX 7.1 - Windows 10 Access to AIX file shares using Active Directory authentication

I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users. The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd... (14 Replies)
Discussion started by: linuxsnake
14 Replies

LEARN ABOUT CENTOS

nisserver

nisserver(1M)						  System Administration Commands					     nisserver(1M)

NAME

       nisserver - set up NIS+ servers

SYNOPSIS

       /usr/lib/nis/nisserver -r [-x] [-f] [-v] [-Y] [ -d NIS+_domain] [ -g NIS+_groupname] [-l network_passwd]

       /usr/lib/nis/nisserver -M [-x] [-f] [-v] [-Y] -d NIS+_domain [ -g NIS+_groupname] [ -h NIS+_server_host]

       /usr/lib/nis/nisserver -R [-x] [-f] [-v] [-Y] [ -d NIS+_domain] [ -h NIS+_server_host]

DESCRIPTION

       The   nisserver shell script can be used to set up  a root master, non-root master, and replica NIS+ server with level 2 security (DES). If
       other authentication mechanisms are configured with nisauthconf(1M), nisserver will set up a NIS+ server using those  mechanisms.  nisauth-
       conf(1M) should be used before nisserver.

       When  setting up a new domain, this script creates the NIS+ directories (including groups_dir and org_dir) and system table objects for the
       domain specified. It does not populate the tables. nispopulate(1M) must be used to populate the tables.

OPTIONS

       -d NIS+_domain	       Specifies the name for the NIS+ domain.	The default is your  local domain.

       -f		       Forces the  NIS+ server setup without prompting for confirmation.

       -g NIS+_groupname       Specifies the  NIS+ group name for the new domain.  This option is not valid with -R option.  The default group	is
			       admin.<domain>.

       -h NIS+_server_host     Specifies  the  hostname  for the NIS+ server.  It must be a valid host in the local domain.  Use a fully qualified
			       hostname (for example, hostx.xyz.sun.com.) to specify a host outside of your local domain.  This  option  is   only
			       used  for setting up non-root master or replica servers. The default for non-root master server setup is to use the
			       same list of servers as the parent domain. The default for replica server setup is the local hostname.

       -l network_password     Specifies the network password with which to create the credentials for the root master	server.   This	option	is
			       only  used  for	master root server setup (-r option).  If this option is not specified, the script prompts you for
			       the login password.

       -M		       Sets up the specified host as a master server. Make sure that rpc.nisd(1M) is running  on  the  new  master  server
			       before this command is executed.

       -R		       Sets up the specified host as a replica server.	Make sure that rpc.nisd is running on the new replica server.

       -r		       Sets up the server as a root master server.  Use the -R option to set up a root replica server.

       -v		       Runs the script in verbose mode.

       -x		       Turns  the  echo mode on.  The script just prints the commands that it would have executed.  Note that the commands
			       are not actually executed.  The default is off.

       -Y		       Sets up a NIS+ server with NIS-compatibility mode.  The default is to set up the server	without  NIS-compatibility
			       mode.

USAGE

       Use  the first synopsis of the command (-r) to set up a root master server. To run the command,	you must be logged in as super-user on the
       server machine.

       Use the second synopsis of the command (-M) to set up a non-root master server for the specified domain. To run the command,  you  must	be
       logged  in  as  a NIS+ principal on a NIS+ machine and have write permission to the parent directory of the domain that you are setting up.
       The new non-root master server machine must already be an  NIS+ client (see nisclient(1M)) and have the	rpc.nisd(1M) daemon running.

       Use the third synopsis of the command (-R) to set up a replica server for both root and non-root domains. To run the command, you  must	be
       logged  in  as a NIS+ principal on a NIS+ machine and have write permission to the parent directory of the domain that you are replicating.
       The new non-root replica server machine must already be an  NIS+ client and have the  rpc.nisd daemon running.

EXAMPLES

       Example 1: Setting up Servers

       To set up a root master server for domain  sun.com.:

       root_server# /usr/lib/nis/nisserver -r -d sun.com.

       For the following examples make sure that  the new servers are  NIS+ clients and that rpc.nisd is running on these hosts  before  executing
       nisserver. To set up a replica server for the sun.com. domain on host sunreplica:

       root_server# /usr/lib/nis/nisserver -R -d sun.com. -h sunrep

       To set up a non-root master server for domain xyz.sun.com. on host sunxyz with the  NIS+ groupname as admin-mgr.xyz.sun.com.:

       root_server# /usr/lib/nis/nisserver -M -d xyz.sun.com. -h sunxyz 
       -g admin-mgr.xyz.sun.com.

       To set up a non-root replica server for domain xyz.sun.com. on host sunabc:

       sunxyz# /usr/lib/nis/nisserver -R -d xyz.sun.com. -h sunabc

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       nis+(1),  nisgrpadm(1),	nismkdir(1),  nisaddcred(1M),  nisauthconf(1M), nisclient(1M), nisinit(1M), nispopulate(1M), nisprefadm(1M), nis-
       setup(1M), rpc.nisd(1M),  attributes(5)

NOTES

       NIS+ might not be supported in future releases of the SolarisTM Operating Environment. Tools to aid the migration from  NIS+  to  LDAP  are
       available in the Solaris 9 operating environment. For more information, visit http://www.sun.com/directory/nisplus/transition.html.

SunOS 5.10							    13 Dec 2001 						     nisserver(1M)
All times are GMT -4. The time now is 03:00 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy