AIX Restrict Server Login via LDAP aixauxaccount objectClass and hostsallowedlogin Attribute

Monday, January 28, 2013

The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).

Client Server Setup

It is assumed the client server can already talk to the LDAP server.

The only necessary change on each client server is to uncomment the hostsdeniedlogin and hostsallowedlogin lines at the bottom of /etc/security/ldap/2307user.map so it looks like the following:

# Optional attributes to control whether user is allowed/denied
# log into the host systems. These two attributes are not
# defined in RFC 2307.
hostsdeniedlogin    SEC_LIST    hostsdeniedlogin    m   na
hostsallowedlogin   SEC_LIST    hostsallowedlogin   m   na

It may be necessary to restart the LDAP service by running restart-secldapclntd.

LDAP Server Setup

On the LDAP server, add the aixauxaccount objectClass to the user entry then add the hostsallowedlogin attribute.

The hostsallowedlogin attribute will accept host FQDNs and short names. Multiple hosts can be separated by a comma. In addition, the hostsallowedlogin attribute will accept network subnets.

hostsallowedlogin does not accept * as a wildcard. Leave hostsallowedlogin blank to allow access to everything.

There is also a hostsdeniedlogin attribute.

Here are additional LDAP host access controls.



comments powered by Disqus