Hello all,
I am using IBM Directory Server (as a part of AIX7 extension pack) in an AIX environment.
To set up the server I use command:
mksecldap -s -a cn=admin -p PWD -S RFC2307AIX -d o=COMPANY -u NONE
Then, to set up IDS clients I use the following (I have 2 mutually replicating servers aixldapsrv1 and aixldapsrv2) :
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=admin -p PWD
Also, I do necessary changes in /etc/security/user and other files to make the rsh/rlogin/ssh authentication to check AIX user/password against LDAP content.
Things work smoothly at this point.
However, any user on a host which is an LDAP client being logged in as "root", can remove, change, create users in the LDAP "domain".
I would like to restrict this capability to a root user logged to a specific host, or specific hosts (not all hosts that are LDAP clients).
I thought maybe there exist some way of establishing a dedicated "read-only" pseudo-administrator user with the dn like "cn=roadmin", and thus the LDAP client initialization would look like:
mksecldap -c -h aixldapsrv1,aixldapsrv2 -a cn=roadmin -p PWD
But how to create such a readonly admin on the LDAP server? Is it possible at all or I should be looking for the solution in some other place?
any suggestion is very much appreciated!
Myaso