RBAC and LDAP users (AD)

Thread Tools Search this Thread
Operating Systems AIX RBAC and LDAP users (AD)
# 1  
Old 03-21-2013
RBAC and LDAP users (AD)

Hello everyone, I am having trouble with something, and I can't find the right answer online. On our company, we are using LDAP Authentication with Active Directory (Windows 2008 Servers) to have a centralized management of AIX 7.1 users.

So far so good, but now, we want to implement RBAC on AIX so we can grant privileged access to certain users (like DBAs or Sysadmins) without using su or having everyone using the root account. The problem that I have, is that when I want to assing a role to a user on a server the chuser command fails, since it cannot find the user (it's on AD, and not defined locally). I use the following command to assign the role:

chuser roles=test_role test_user

Is there a way for me to tell the chuser command to get the user information from AD? Or can I define manually the roles for each user? (maybe in the /etc/security/user.roles file?).

If that doesn't work I'm going to try defining groups in AD with the same GID as local groups, and handling everything via the sudoers file, but I would like to hear from your experiences.

Best Regards,


---------- Post updated 03-21-13 at 09:01 AM ---------- Previous update was 03-20-13 at 08:15 PM ----------

As a follow-up, I've manually edited the

file, adding roles to my LDAP users (who don't exist locally in etc/passwd), then runned

and to my surprise, it works! When I log in with an LDAP user, I can see my assigned roles via

and successfully apply then using
swrole <role>


Does anyone have any experience with this? I just want to know if anything can go wrong, since it feels a little bit dirty.

DO NOT DO THIS or pconsole will go nuts and start forking processes indefinitely. While this works and you can assing local roles to LDAP users, it's unstable, it will broke pconsole, and maybe will invalid your IBM support. If you do it, you are on your own.

Last edited by Janpol; 03-22-2013 at 09:42 AM..
# 2  
Old 03-21-2013
Well, as far as I know AD only supports the rfc2307 attributes, out of the box.

There are a couple of dated (were written with AIX 5.1 and for AD AIX 6.1), but still largely accurate, tutorials. (must look for links).

Have you run the mksecldap command to make AIX an ldap client of the AD server?

Before mkuser/chuser/etc can contact AD it needs to know where to look.

For the simple stuff - start with lsuser once it is setup.

$|# lsuser -R LDAP michael

---------- Post updated at 06:36 PM ---------- Previous update was at 06:25 PM ----------

Infocenter link - the basics
Developerworks article for SunOne and AD (from 2008, but gets you going)

Also, try "your favorite search engine": aixSchemaForAD

What ever solution path you choose it will include loading, at some point, an AIX LDAP Schema

After you have read the articles above, you will understand better.

BEFORE you begin - make sure adding a schema to AD does not break your support contract. So make a backup first. I am told AD does not (did not?) have an easy option to remove extensions.

Hope this helps!
This User Gave Thanks to MichaelFelt For This Post:
# 3  
Old 03-21-2013
Thanks for your response, didn't know I could use lsuser, chuser, etc like that :/. I've already run the mksecldap command, and my AD users can authenticate in AIX, the only thing that I'm missing is the possibility to use RBAC with those users.

I'll try what you suggest tomorrow.

# 4  
Old 03-22-2013
it can be done, but i would recommend a seperate ldap server for the other DIT domains.

No time for details, check out /etc/security/ldap/ldap.cfg for specifying multiple base domains for different categories of information.
# 5  
Old 03-22-2013
I've spoken with the AD admins, and they've told me that an schema update is not going to be possible right now, and my boss doesn't want me to set up another LDAP server for the RBAC information.

So, I think I'm on a dead end right now regarding RBAC and LDAP, we have decided to use groups (with matching gids between local and LDAP groups) and sudo to assign privileges to LDAP users.

Thanks a lot for your help Michael.
# 6  
Old 03-22-2013
my pleasure.

If you have a chance to attend the TechU in Amsterdam or Athens this year I'll be doing a presentation/labs on RBAC and LDAP (installing ITDS from try and buy images). As I have time I am looking at compiling openldap for AIX and doing the same.

p.s. I expected that AD admins would not be "excited" about a schema change. "All" customers I have worked with have said no - in the end. AD support seems to end once a none-AD schema is installed. No support == No install.

Sorry I cannot provide an easier answer.

p.s. I do not know the answer - exactly - but you should also look into a construction for not allowing "any" AD defined user to be able to login to "all" systems. Normally, there are only one or two systems where a login is appropriate.
# 7  
Old 03-22-2013
Originally Posted by MichaelFelt
my pleasure.

p.s. I do not know the answer - exactly - but you should also look into a construction for not allowing "any" AD defined user to be able to login to "all" systems. Normally, there are only one or two systems where a login is appropriate.
I've found two ways to do this:

1. Is to define a group or OU in AD for each server, and tell the ldap client to look for user information only inside that group or OU.

2. Modify the /etc/security/user file, so the default stanza will use SYSTEM=compat (therefore no LDAP user will be able to log in), and add a stanza per LDAP user, where SYSTEM=LDAP and registry=LDAP. This way, only the users that have a custom stanza here will be able to use LDAP for login.
This User Gave Thanks to Janpol For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies

2. Linux

Help me with all users ldap

Need to find the ldap id's of all the users in my organizations... is there any command??? (0 Replies)
Discussion started by: Syed Imran
0 Replies

3. Linux

Monitor ldap users

Any way to find the ldap users currently logged into the clinets ? I am using Openldap with NFS for home directory mounts. (0 Replies)
Discussion started by: nitin09
0 Replies

4. Solaris

LDAP users with RBAC Roles

I have an issue with integration between Microsoft LDAP users and RBAC roles defined in a Solaris box. to explain more , i managed to integrate Microsoft Active Directory user loggings to Solaris boxes. I've done it to centralize user repo. and instead of creating admin accounts on more than... (9 Replies)
Discussion started by: mduweik
9 Replies

5. Solaris

rbac problem.

Hi all! On backup server with contab my script worked, but one command don't fine to be executed: bash-3.00$ scp itadmin@* /bckp1/opencms/bcp_`date +%Y%m%d`/ www-zone.cfg 100%... (0 Replies)
Discussion started by: sotich82
0 Replies

6. UNIX for Dummies Questions & Answers

Unix Rbac

Can anyone help me on "How to change Unix to support RBAC policy"? (4 Replies)
Discussion started by: JPoroo
4 Replies

7. Solaris


do i have to create a new account to add a role? i want the sysadmin login i have 3 users on my systems sysadmin secman oc01 also 3 profiles SA (goes t0 sysadmin account) SSO (goes to secman account) LMICS (goes to oc01 account) the user accounts are located in /h/USERS/local the... (4 Replies)
Discussion started by: deaconf19
4 Replies

8. Solaris


I am trying to let user asillitoe su to the godbrook role to execute commands. I have editted files as follows: user_attr: asillito::::type=normal;roles=godbrook godbrook::::type=role;profiles=Gadbrook,All prof_attr: Gadbrook:::Allow root commands to be used by godbrook: exec_attr:... (0 Replies)
Discussion started by: chrisdberry
0 Replies

9. UNIX for Advanced & Expert Users

link LDAP-Users

hi, is it possible to link users on a LDAP-Server from one container to another? we have two trees, one for AIX and one for solaris-linux but we have a few users in both trees, they should have the same password and a password change must affect both entries we use IBM Directory Server... (3 Replies)
Discussion started by: funksen
3 Replies

10. UNIX for Advanced & Expert Users

Equivalent of ADMCHG for LDAP Users

All newly created Aix5 users are forced to change password first time when they log in. We know removing the ADMCHG flag in passwd file will not prompt the user for change password. But we are trying to figure out the similar solution if the user is created as a LDAP user ?. Any help? Thanks... (0 Replies)
Discussion started by: vipas
0 Replies
Login or Register to Ask a Question

Featured Tech Videos