Hello everyone, I am having trouble with something, and I can't find the right answer online. On our company, we are using LDAP Authentication with Active Directory (Windows 2008 Servers) to have a centralized management of AIX 7.1 users.
So far so good, but now, we want to implement RBAC on AIX so we can grant privileged access to certain users (like DBAs or Sysadmins) without using su or having everyone using the root account. The problem that I have, is that when I want to assing a role to a user on a server the chuser command fails, since it cannot find the user (it's on AD, and not defined locally). I use the following command to assign the role:
chuser roles=test_role test_user
Is there a way for me to tell the chuser command to get the user information from AD? Or can I define manually the roles for each user? (maybe in the /etc/security/user.roles file?).
If that doesn't work I'm going to try defining groups in AD with the same GID as local groups, and handling everything via the sudoers file, but I would like to hear from your experiences.
Best Regards,
Juan
---------- Post updated 03-21-13 at 09:01 AM ---------- Previous update was 03-20-13 at 08:15 PM ----------
As a follow-up, I've manually edited the
/etc/security/user.roles
file, adding roles to my LDAP users (who don't exist locally in etc/passwd), then runned
setkst
and to my surprise, it works! When I log in with an LDAP user, I can see my assigned roles via
rolelist
and successfully apply then using
swrole <role>
.
Does anyone have any experience with this? I just want to know if anything can go wrong, since it feels a little bit dirty.
DO NOT DO THIS or pconsole will go nuts and start forking processes indefinitely. While this works and you can assing local roles to LDAP users, it's unstable, it will broke pconsole, and maybe will invalid your IBM support. If you do it, you are on your own.