Name service control file

Edit online

The RBAC data can reside strictly in local files, strictly in LDAP, or can be merged in local files and LDAP by configuring a given database in the /etc/nscontrol.conf name service control file.

The search order for the authorization, role, privileged command, device, and file databases is specified individually in the /etc/nscontrol.conf file. The search order for a database is specified in the file with the secorder attribute, which is a comma-separated list of domains. The following is an example of a configuration for the authorization database:
authorizations: 		
        secorder = LDAP,files

This example specifies that queries on authorizations should search in LDAP first and then in the local files if the authorization is not found in LDAP. The collection of authorizations available to the system is the merge of the authorizations provided by LDAP and those provided in the local files. The merge is not a simple combination of the values from the two domains, but rather a union of the values. For the configuration above, all LDAP authorizations are included and then only unique authorizations from local files are added to the result.

Modifications and deletions are attempted on the first domain listed and are only attempted on subsequent domains if the entity is not found in the first domain. In this case, LDAP is attempted first and local files are only attempted if the authorization is not found in LDAP. New entries are always created in the first domain listed in the secorder attribute. In the example above, a creation of a new authorization occurs in the LDAP database.

If there is no entry for a database in the /etc/nscontrol.conf file or if the file does not exist, queries and modifications on the database are only performed in the local files database. The configuration for a database in the file can be set with the chsec command and listed through the lssec command. To configure authorization data to be retrieved from LDAP first and then from the local files, run the following command:
chsec –f /etc/nscontrol.conf –s authorizations –a secorder=LDAP,files

The configuration in the /etc/nscontrol.conf file controls both the library and command line interfaces. Applications can retrieve the current value of the secorder attribute for a database with the getsecorder interface. The value of the secorder attribute can be overridden for the process with the setsecorder interface.