Monday, January 28, 2013
The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).
It is assumed the client server can already talk to the LDAP server.
The only necessary change on each client server is to uncomment the hostsdeniedlogin and hostsallowedlogin lines at the bottom of /etc/security/ldap/2307user.map so it looks like the following:
# Optional attributes to control whether user is allowed/denied # log into the host systems. These two attributes are not # defined in RFC 2307. hostsdeniedlogin SEC_LIST hostsdeniedlogin m na hostsallowedlogin SEC_LIST hostsallowedlogin m na
It may be necessary to restart the LDAP service by running
On the LDAP server, add the aixauxaccount objectClass to the user entry then add the hostsallowedlogin attribute.
The hostsallowedlogin attribute will accept host FQDNs and short names. Multiple hosts can be separated by a comma. In addition, the hostsallowedlogin attribute will accept network subnets.
hostsallowedlogin does not accept * as a wildcard. Leave hostsallowedlogin blank to allow access to everything.
There is also a hostsdeniedlogin attribute.
Here are additional LDAP host access controls.