RBAC and LDAP users (AD)

Hello everyone, I am having trouble with something, and I can't find the right answer online. On our company, we are using LDAP Authentication with Active Directory (Windows 2008 Servers) to have a centralized management of AIX 7.1 users.

So far so good, but now, we want to implement RBAC on AIX so we can grant privileged access to certain users (like DBAs or Sysadmins) without using su or having everyone using the root account. The problem that I have, is that when I want to assing a role to a user on a server the chuser command fails, since it cannot find the user (it's on AD, and not defined locally). I use the following command to assign the role:

chuser roles=test_role test_user

Is there a way for me to tell the chuser command to get the user information from AD? Or can I define manually the roles for each user? (maybe in the /etc/security/user.roles file?).

If that doesn't work I'm going to try defining groups in AD with the same GID as local groups, and handling everything via the sudoers file, but I would like to hear from your experiences.

Best Regards,

Juan

---------- Post updated 03-21-13 at 09:01 AM ---------- Previous update was 03-20-13 at 08:15 PM ----------

As a follow-up, I've manually edited the

/etc/security/user.roles

file, adding roles to my LDAP users (who don't exist locally in etc/passwd), then runned

setkst

and to my surprise, it works! When I log in with an LDAP user, I can see my assigned roles via

rolelist

and successfully apply then using

swrole <role>

.

Does anyone have any experience with this? I just want to know if anything can go wrong, since it feels a little bit dirty.

DO NOT DO THIS or pconsole will go nuts and start forking processes indefinitely. While this works and you can assing local roles to LDAP users, it's unstable, it will broke pconsole, and maybe will invalid your IBM support. If you do it, you are on your own.

Well, as far as I know AD only supports the rfc2307 attributes, out of the box.

There are a couple of dated (were written with AIX 5.1 and for AD AIX 6.1), but still largely accurate, tutorials. (must look for links).

Have you run the mksecldap command to make AIX an ldap client of the AD server?

Before mkuser/chuser/etc can contact AD it needs to know where to look.

For the simple stuff - start with lsuser once it is setup.

$|# lsuser -R LDAP michael

---------- Post updated at 06:36 PM ---------- Previous update was at 06:25 PM ----------

Infocenter link - the basics
Developerworks article for SunOne and AD (from 2008, but gets you going)

Also, try "your favorite search engine": aixSchemaForAD

What ever solution path you choose it will include loading, at some point, an AIX LDAP Schema

After you have read the articles above, you will understand better.

BEFORE you begin - make sure adding a schema to AD does not break your support contract. So make a backup first. I am told AD does not (did not?) have an easy option to remove extensions.

Hope this helps!

1 Like

Thanks for your response, didn't know I could use lsuser, chuser, etc like that :/. I've already run the mksecldap command, and my AD users can authenticate in AIX, the only thing that I'm missing is the possibility to use RBAC with those users.

I'll try what you suggest tomorrow.

Thanks!

it can be done, but i would recommend a seperate ldap server for the other DIT domains.

No time for details, check out /etc/security/ldap/ldap.cfg for specifying multiple base domains for different categories of information.

I've spoken with the AD admins, and they've told me that an schema update is not going to be possible right now, and my boss doesn't want me to set up another LDAP server for the RBAC information.

So, I think I'm on a dead end right now regarding RBAC and LDAP, we have decided to use groups (with matching gids between local and LDAP groups) and sudo to assign privileges to LDAP users.

Thanks a lot for your help Michael.

my pleasure.

If you have a chance to attend the TechU in Amsterdam or Athens this year I'll be doing a presentation/labs on RBAC and LDAP (installing ITDS from try and buy images). As I have time I am looking at compiling openldap for AIX and doing the same.

p.s. I expected that AD admins would not be "excited" about a schema change. "All" customers I have worked with have said no - in the end. AD support seems to end once a none-AD schema is installed. No support == No install.

Sorry I cannot provide an easier answer.

p.s. I do not know the answer - exactly - but you should also look into a construction for not allowing "any" AD defined user to be able to login to "all" systems. Normally, there are only one or two systems where a login is appropriate.

I've found two ways to do this:

  1. Is to define a group or OU in AD for each server, and tell the ldap client to look for user information only inside that group or OU.

  2. Modify the /etc/security/user file, so the default stanza will use SYSTEM=compat (therefore no LDAP user will be able to log in), and add a stanza per LDAP user, where SYSTEM=LDAP and registry=LDAP. This way, only the users that have a custom stanza here will be able to use LDAP for login.

1 Like

The AIX scheme has two attributes: hostsallowed, hostsdenied - if I recall correctly. They are exclusive to each other, i.e., you specify what is allowed, all else is denied, or what is denied - everything else is allowed. Nice thing about this is that it is all managed via the LDAP interface, so modifications to AIX systems is needed.

1 Like