I am performing some work for a small business that has no IT staff. They contract out work from time to time for their IT needs.
What they would like to do is grant access to an AIX 5.3 server for some external customers to perform some application testing. They are running Active Directory and do not want to set up temporary users for the testing purpose. They don't want to accidentally allow users access to other resources other than the AIX server. They are running a T1 line that comes into a switch. They have asked me to provide access to the server. I have some admin experience but only at a beginner to intermediate level. I am looking for a very good option. Here are some of the ideas I have.
1) Attach the server in front of the firewall by connecting it directly to the switch. (Not sure if I can get a static IP though. Not sure what the T1 line allows) I know they have at least one static IP from the T1 provider.
2) Keep the server behind the firewall and use some kind of software like Itivity to grant access to server. But would still have to set up AD accounts.
3) Have them purchase cable and set up a separate network that does not tie into AD. However, I am not sure how I would grant access from the internet, since the IP will be behind the firewall and be a 192.168.x.xx number.
4) Purchase another router and create a secondary network and place the server into the new network. Still don't know how I grant access from the internet because of the 192.168 ip address.
The company wants to keep the server secure as well as proprietary information on other servers. They are very hesitant about setting up external accounts in AD and would prefer direct access to the server that does not involve AD.
There are accounts/users needed to access the AIX servers by ssh sessions. There is no way around. If they don't want temp users in LDAP, they need local users. There is only those two ways.
If they decide to use LDAP users for access, they have to use the following bold marked attribute in their LDAP:
Code:
hostsallowedlogin SEC_LIST hostsallowedlogin m
If they use another name for this attribute in their MetaDirectory, it has to be changed accordingly in /etc/security/ldap/2307user.map or whatever map file for users is being pointed at in ldap.cfg at
Code:
userattrmappath:/etc/security/ldap/2307user.map
As you can see this attribute is a multi value attribute (m). They have to add in that attribute all the hostnames (the actual names you get on the AIX hosts when you type in the command hostname) that should be allowed to login to. It is a simple filter that works well. The AIX hosts have need a LDAP client up and running, connected to their MetaDirectory (LDAP-server) of course. The config etc. is for AIX LDAP, not openLDAP.
If they have chosen to leave LDAP out at all - they simply need a local account on the boxes that are being used.
For the network thingy, keep all servers behind the firewall for sure and set up a rule that ssh protocl connections from a specific host for a specific host after successful authentication of course is allowed. If the authentication thing at firewall level is a problem, you have at least the authentication against the AIX hosts.
Without using LDAP, how would the external users get access to the server? I believe setting up local accounts only allows users within the lan to access the server, but not from the internet. The external users do not have access to our network and may be at various locations.
When you use the term LDAP, are you referring to Active Directory, which is essentially an LDAP, or are you referring to running LDAP on the AIX server. Your sample gives me the impression that I will need to install LDAP on the server.
Last edited by texassynergy; 05-14-2010 at 02:21 PM..
Oh, maybe I got on the wrong track when I read "Active Directory" in conjunction with user accounts, sorry for confusing you.
If you don't use LDAP, forget about it. It is a protocol through which a repository/DB/MetaDirectory is being accessed for lot's of informations, especially personalized and authentication information etc.
To grant them access to an AIX box via ssh, they will need a local system account. Afaik there is no way around.
To get them access to your network, which is essentially to reach the AIX box, you could set up VPN. They install a VPN-client on their workstations and dial in to your network, authenticating themselves with a username and a password. If this is granted, your firewall rules should apply so they can access the AIX box via ssh (port 22) for example, having to authenticate against the AIX box too, of course.
Which software is needed on your side as VPN server etc. I do not know, but there should be plenty guides on the web how to set up such a thing. Afaik there is Linux software for that purpose as well network hardware available from different manufacturers, Cisco etc. that has a serving applications for VPN built in.
Hi All
I need to transfer a file from a UNIX server to a windows server.
I saw that it is possible to do this using scp command by looking at the forum listed below:
... (2 Replies)
I want to look up log files on the unix server. My machine is windows 7 pro.
I can view them from windows explorer but it is slow because huge amount logs files there.
Is there a way or tools to quickly access it?
Thanks. (7 Replies)
Hello,
Some of our application team uses Microsoft Team Foundation server (TFS) reposity tool for their .NET projects , I would like to access it form Unix/Linux machine. Please let me know how can access the TFS from unix.
Thanks (0 Replies)
Hi,
I am new to this forum and this is my first post.
I want to know that if I make an application in Tk (version of Tcl to create GUI) in windows and want to run to UNIX server, is it possible ?
In other words, can I access a UNIX server through a Tk application running on windows ?
... (1 Reply)
:(:confused: i am going to ask a silly question. is it possible to setup a unix server at home. once i have setup successfully, can i provide access to that server via internet. i do not have any commercial intent, behind this. (3 Replies)
Hello,
I have a databse stored in my Unix server. I can't change the database because is used by a third party software.
How Can I make some queries to this database (I want to extend the information for all the users using Apache + php on the unix server.)
I looked at unixODBC but I... (0 Replies)
Hello Moto
I hope someone can help
We's here at work, have a unix box with sco openserver 5 on it, so it has a nice gui interface.. and also a fair few windows computers..
a system admin guy b4 me, has set up a user called neil, which can, when u try to access the unix box using windows... (2 Replies)
hi all,
i have connected a new dump terminal to unix server.the connection is not direct.it is through a board. that is a board which contain lot of ports is connected to server. the terminals are connected to the board.when i connected the terminal to the server the message in terminal is like... (0 Replies)
Hi all! I'm a web developer with a question.
We have a contractor that is working on a project that requires the user to access a ton of files on the clients Unix server. He has plans to built a VB interface for on site windows users to access those files and wants us to develop a web based... (4 Replies)
i have a question i want to setup a unix server and 2000 server with an xp client i want to run bind can i still setup a primary dns on the 2000 box or can u use secondary dns on 2000 also i want to setup an exchange server on the 2000 server for email between the windows machines?
basically i... (2 Replies)
