Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

how to set permissions of LDAP user (Active Directory) on AIX?

Status
Not open for further replies.

xia777

MIS
Mar 16, 2010
4
DE
Hello,

I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine.

And here's my question:

How can I control ldap user permissions on the local AIX machine?
E.g. an AD user should be able to write all files of local "sys" group on an AIX system.
(I'm not able to add a LDAP user to a local group)

There is the posibility to create an Active Directory group with UNIX attributes and set the GID with the same number as the local GID on the AIX system.
But:

1. I'm not sure if this is a good and practicable solution.
2. You cannot duplicate GIDs in Active Directory but I would need several groups with the same GID (e.g. an user should have different rights on different AIX machines)

Is there a good solution to control permissions of LDAP user?

Thank you for every advice!
 
I had run into the same problem - it's not immediately clear to me how to achieve this without a lot of fuss and complication.

Any thoughts appreciated.
 
I've solved one of my problems:
If I use Ad-Groups with the same GIDs of the local AIX groups, the LDAP users have the local group permissions on the AIX system.
But you cannot create Groups with the same GID on AD. So all users who are member in such a group would have access to all aixsystem which refer to this group.

Solution:
I've created the needed system groups in Active Directory, e.g. group "staff" with GID=1, "sys" with GID=3 ...
I've also created an AD group for each AIX system (e.g. "aixtest" with GID=100XX..)

In the ldap.cfg I've set the userbasedn to grant access only to the users who are members of the group "aixtest" by using a filter:

userbasedn:DC=my,DC=domain??(&(objectclass=user)(msSFU30PosixMemberOf=CN=aixtest,OU=AIX_machines,OU=Applications,OU=Groups,DC=my,DC=domain))
groupbasedn:cn=staff,....,dc=my,dc=domain
groupbasedn:cn=aixtest,..,dc=my,dc=domain

So only users who are members of the AD-Group "aixtest" can access to the system, not all users who are members of AD "staff" can login.

This configuration solves only the access control to the systems.
If an user has access to several Systems referring the same AD groups (staff, sys ...), he has the same rights on each machine.

Are there any additional ideas?
 
Hi

I recently integrated AIX to AD, albeit not quite as defined in terms of groups as you have done here.

I have AD groups with UNIX attributes and then use sudo on the AIX side to allow authorisations/permissions to run stuff.

HTH

Cheers. JP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top