Monday, January 28, 2013
It is possible to restrict AIX server login via LDAP by using the aixauxaccount objectClass and hostsallowedlogin attribute.
Each LDAP user that you want to restrict login access to should have the aixauxaccount objectClass so the hostsallowedlogin attribute becomes available to that LDAP user.
Take note, this solution does not scale well. If a new client sever comes online it will have to be added to every LDAP user needing access. This can of course be scripted, but a more scaleable solution is to use LDAP groups.
Nevertheless, continue reading for setup instructions
The following has been tested on Red Hat Directory Server 9 (389 Directory Server should also apply) and AIX 6.1 (later AIX releases should work as well).
It is assumed the client server can already talk to the LDAP server.
The only necessary change on each client server is to uncomment the hostsdeniedlogin and hostsallowedlogin lines at the bottom of /etc/security/ldap/2307user.map so it looks like the following:
# Optional attributes to control whether user is allowed/denied # log in to the host systems. These two attributes are not # defined in RFC 2307. hostsdeniedlogin SEC_LIST hostsdeniedlogin m na hostsallowedlogin SEC_LIST hostsallowedlogin m na
It may be necessary to restart the LDAP service by running
On the LDAP server, add the aixauxaccount objectClass to the user entry then add the hostsallowedlogin attribute.
The hostsallowedlogin attribute will accept host FQDNs and short names. Multiple hosts can be separated by a comma. In addition, the hostsallowedlogin attribute will accept network subnets.
hostsallowedlogin does not accept * as a wildcard. Leave hostsallowedlogin blank to allow access to everything.
There is also a hostsdeniedlogin attribute.
Here are additional LDAP host access controls.