Hello everyone, I am having trouble with something, and I can't find the right answer online. On our company, we are using LDAP Authentication with Active Directory (Windows 2008 Servers) to have a centralized management of AIX 7.1 users.
So far so good, but now, we want to implement RBAC on AIX so we can grant privileged access to certain users (like DBAs or Sysadmins) without using su or having everyone using the root account. The problem that I have, is that when I want to assing a role to a user on a server the chuser command fails, since it cannot find the user (it's on AD, and not defined locally). I use the following command to assign the role:
Code:
chuser roles=test_role test_user
Is there a way for me to tell the chuser command to get the user information from AD? Or can I define manually the roles for each user? (maybe in the /etc/security/user.roles file?).
If that doesn't work I'm going to try defining groups in AD with the same GID as local groups, and handling everything via the sudoers file, but I would like to hear from your experiences.
Best Regards,
Juan
---------- Post updated 03-21-13 at 09:01 AM ---------- Previous update was 03-20-13 at 08:15 PM ----------
As a follow-up, I've manually edited the
Code:
/etc/security/user.roles
file, adding roles to my LDAP users (who don't exist locally in etc/passwd), then runned
Code:
setkst
and to my surprise, it works! When I log in with an LDAP user, I can see my assigned roles via
Code:
rolelist
and successfully apply then using
Code:
swrole <role>
.
Does anyone have any experience with this? I just want to know if anything can go wrong, since it feels a little bit dirty.
DO NOT DO THIS or pconsole will go nuts and start forking processes indefinitely. While this works and you can assing local roles to LDAP users, it's unstable, it will broke pconsole, and maybe will invalid your IBM support. If you do it, you are on your own.
What ever solution path you choose it will include loading, at some point, an AIX LDAP Schema
After you have read the articles above, you will understand better.
BEFORE you begin - make sure adding a schema to AD does not break your support contract. So make a backup first. I am told AD does not (did not?) have an easy option to remove extensions.
Hope this helps!
This User Gave Thanks to MichaelFelt For This Post:
Thanks for your response, didn't know I could use lsuser, chuser, etc like that :/. I've already run the mksecldap command, and my AD users can authenticate in AIX, the only thing that I'm missing is the possibility to use RBAC with those users.
I've spoken with the AD admins, and they've told me that an schema update is not going to be possible right now, and my boss doesn't want me to set up another LDAP server for the RBAC information.
So, I think I'm on a dead end right now regarding RBAC and LDAP, we have decided to use groups (with matching gids between local and LDAP groups) and sudo to assign privileges to LDAP users.
Location: on the road for work; home is private time
Posts: 456
Thanks Given: 10
Thanked 108 Times in 100 Posts
my pleasure.
If you have a chance to attend the TechU in Amsterdam or Athens this year I'll be doing a presentation/labs on RBAC and LDAP (installing ITDS from try and buy images). As I have time I am looking at compiling openldap for AIX and doing the same.
p.s. I expected that AD admins would not be "excited" about a schema change. "All" customers I have worked with have said no - in the end. AD support seems to end once a none-AD schema is installed. No support == No install.
Sorry I cannot provide an easier answer.
p.s. I do not know the answer - exactly - but you should also look into a construction for not allowing "any" AD defined user to be able to login to "all" systems. Normally, there are only one or two systems where a login is appropriate.
p.s. I do not know the answer - exactly - but you should also look into a construction for not allowing "any" AD defined user to be able to login to "all" systems. Normally, there are only one or two systems where a login is appropriate.
I've found two ways to do this:
1. Is to define a group or OU in AD for each server, and tell the ldap client to look for user information only inside that group or OU.
2. Modify the /etc/security/user file, so the default stanza will use SYSTEM=compat (therefore no LDAP user will be able to log in), and add a stanza per LDAP user, where SYSTEM=LDAP and registry=LDAP. This way, only the users that have a custom stanza here will be able to use LDAP for login.
I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful.
The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
I have an issue with integration between Microsoft LDAP users and RBAC roles defined in a Solaris box.
to explain more , i managed to integrate Microsoft Active Directory user loggings to Solaris boxes. I've done it to centralize user repo. and instead of creating admin accounts on more than... (9 Replies)
Hi all!
On backup server with contab my script worked, but one command don't fine to be executed:
bash-3.00$ scp itadmin@172.17.0.44:/export/backups/* /bckp1/opencms/bcp_`date +%Y%m%d`/
www-zone.cfg 100%... (0 Replies)
do i have to create a new account to add a role?
i want the sysadmin login
i have 3 users on my systems
sysadmin
secman
oc01
also 3 profiles
SA (goes t0 sysadmin account)
SSO (goes to secman account)
LMICS (goes to oc01 account)
the user accounts are located in /h/USERS/local
the... (4 Replies)
I am trying to let user asillitoe su to the godbrook role to execute commands. I have editted files as follows:
user_attr:
asillito::::type=normal;roles=godbrook
godbrook::::type=role;profiles=Gadbrook,All
prof_attr:
Gadbrook:::Allow root commands to be used by godbrook:
exec_attr:... (0 Replies)
hi,
is it possible to link users on a LDAP-Server from one container to another?
we have two trees, one for AIX and one for solaris-linux
but we have a few users in both trees, they should have the same password and a password change must affect both entries
we use IBM Directory Server... (3 Replies)
All newly created Aix5 users are forced to change password first time when they log in. We know removing the ADMCHG flag in passwd file will not prompt the user for change password. But we are trying to figure out the similar solution if the user is created as a LDAP user ?. Any help?
Thanks... (0 Replies)
03-21-2013
