Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

how to set permissions of LDAP user (Active Directory) on AIX?

Status
Not open for further replies.
xia777

xia777

MIS
Mar 16, 2010
4
DE
Hello,

I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine.

And here's my question:

How can I control ldap user permissions on the local AIX machine?
E.g. an AD user should be able to write all files of local "sys" group on an AIX system.
(I'm not able to add a LDAP user to a local group)

There is the posibility to create an Active Directory group with UNIX attributes and set the GID with the same number as the local GID on the AIX system.
But:

1. I'm not sure if this is a good and practicable solution.
2. You cannot duplicate GIDs in Active Directory but I would need several groups with the same GID (e.g. an user should have different rights on different AIX machines)

Is there a good solution to control permissions of LDAP user?

Thank you for every advice!
 
Sort by date Sort by votes
I had run into the same problem - it's not immediately clear to me how to achieve this without a lot of fuss and complication.

Any thoughts appreciated.
 
Upvote 0 Downvote
I've solved one of my problems:
If I use Ad-Groups with the same GIDs of the local AIX groups, the LDAP users have the local group permissions on the AIX system.
But you cannot create Groups with the same GID on AD. So all users who are member in such a group would have access to all aixsystem which refer to this group.

Solution:
I've created the needed system groups in Active Directory, e.g. group "staff" with GID=1, "sys" with GID=3 ...
I've also created an AD group for each AIX system (e.g. "aixtest" with GID=100XX..)

In the ldap.cfg I've set the userbasedn to grant access only to the users who are members of the group "aixtest" by using a filter:

userbasedn:DC=my,DC=domain??(&(objectclass=user)(msSFU30PosixMemberOf=CN=aixtest,OU=AIX_machines,OU=Applications,OU=Groups,DC=my,DC=domain))
groupbasedn:cn=staff,....,dc=my,dc=domain
groupbasedn:cn=aixtest,..,dc=my,dc=domain

So only users who are members of the AD-Group "aixtest" can access to the system, not all users who are members of AD "staff" can login.

This configuration solves only the access control to the systems.
If an user has access to several Systems referring the same AD groups (staff, sys ...), he has the same rights on each machine.

Are there any additional ideas?
 
Upvote 0 Downvote
Hi

I recently integrated AIX to AD, albeit not quite as defined in terms of groups as you have done here.

I have AD groups with UNIX attributes and then use sudo on the AIX side to allow authorisations/permissions to run stuff.

HTH

Cheers. JP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

E
  • Question
AIX Power5 on 5.3- On varyonvg error "cannot be varied on because no good copies of the descriptor area"
Replies
0
Views
166
emze
E
A
  • Locked
  • Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
229
Alvinghost
A
E
  • Locked
  • Question
What are reservations and how do you set them?
Replies
0
Views
190
emze
E
sheilar32
  • Locked
  • Question
Migrating from AIX to anything else
Replies
0
Views
208
sheilar32
sheilar32
jkc2023
  • Locked
  • Question
AIX TL and SP upgrade
Replies
0
Views
249
jkc2023
jkc2023

Part and Inventory Search

Sponsor

Back
Top