LDAP host access control

Edit online

AIX® provides user-level host access (login) control for a system. Administrators can configure LDAP users to log in to an AIX system by setting their SYSTEM attribute to LDAP.

The SYSTEM attribute is in the /etc/security/user file. The chuser command can be used to set its value, similar to the following:

# chuser -R LDAP SYSTEM=LDAP registry=LDAP foo

Note: With this type of control, do not set the default SYSTEM attribute to LDAP, which allows all LDAP users to login to the system.

This sets the LDAP attribute to allow user foo to log in to this system. It also sets the registry to LDAP, which allows the login process to log foo's login attempts to LDAP, and also allows any user management tasks done on LDAP.

The administrator needs to run such setup on each of the client systems to enable login by certain users.

AIX has a feature to limit a LDAP user only to log in to certain LDAP client systems. This feature allows centralized host access control management. Administrators can specify two host access control lists for a user account: an allow list and a deny list. These two user attributes are stored in the LDAP server with the user account. A user is allowed access to systems or networks that are specified in the allow list, while he is denied access to systems or networks in the deny list. If a system is specified in both the allow list and the deny list, the user is denied access to the system. There are two ways to specify the access lists for a user: with the mkuser command when the user is created or with the chuser command for a existing user. For backward compatibility, if both the allow list and deny list do not exist for a user, the user is allowed to login to any LDAP client systems by default.

Examples of setting allow and deny permission lists for users are the following:

# mkuser -R LDAP hostsallowedlogin=host1,host2 foo

This creates a user foo, and user foo is only allowed to log in to host1 and host2.

# mkuser -R LDAP hostsdeniedlogin=host2 foo

This create user foo, and user foo can log in to any LDAP client systems except host2.

# chuser -R LDAP hostsallowedlogin=192.9.200.1 foo

This sets user foo with permission to log in to the client system at address 192.9.200.1.

# chuser -R LDAP hostsallowedlogin=192.9.200/24 hostsdeniedlogin=192.9.200.1 foo

This sets user foo with permission to log in to any client system within the 192.9.200/24 subnet , except the client system at address 192.9.200.1.

For more information, see the chuser command.