Provide steps to immediately disable a non-local user account if the AIX administrator does not have access to the external authentication application.
The following has been defined as default in /etc/security/user:
SYSTEM = "files OR (files[NOTFOUND] AND LDAP)"
This grammar means:
- Check local files (/etc/passwd and /etc/security/user) first.
- If this is not a local user, then use LDAP.
If you are unable to access the LDAP server immediately, but need to disable a non-local LDAP user, you would have to create this user locally.
This document describes the steps to manage an LDAP user, but similar steps would apply to other loadable authentication methods.
The following scenario describes how to lock the account of non-local user "ldaptest".
1) Check user info:
# lsuser -R LDAP -f -a groups account_locked SYSTEM ldaptest;grep ldaptest /etc/security/user;grep ldaptest /etc/passwd
ldaptest:
groups=staff
account_locked=false
SYSTEM=LDAP
2) Test the login:
# login ldaptest
/home/ldaptest# (User logs in through LDAP authentication)
3) Create group for tracking (optional):
Create a group so you can easily list these users. The special group is not necessary, but it is a good way to provide local tracking if necessary.
# mkgroup suspendedLdap
4) Next, create the local user with a locked account:
# mkuser SYSTEM=files groups=suspendedLdap account_locked=true ldaptest
5) Check the user info, comparing the LDAP info and local info:
# lsuser -R LDAP -f -a groups account_locked SYSTEM ldaptest;lsuser -f -a groups account_locked SYSTEM ldaptest;grep ldaptest /etc/security/user;grep ldaptest /etc/passwd
ldaptest:
groups=staff
account_locked=false
SYSTEM=files
ldaptest:
groups=staff,suspendedLdap
account_locked=true
SYSTEM=files
ldaptest:
ldaptest:*:300:1::/home/ldaptest:/usr/bin/ksh
6) Check group members:
As mentioned in #3, the special group is not necessary, but is a good way to keep local tracking if needed.
# lsgroup suspendedLdap
suspendedLdap id=212 admin=false users=ldaptest registry=files
7) Test the login:
# login ldaptest
ldaptest's Password:
3004-301 Your account has been locked; please see the system administrator.
| SUPPORT |
|
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.
2. Capture any logs or data relevant to the situation.
3. Contact IBM to open a case:
-For electronic support, see the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, see the web page:
https://www.ibm.com/planetwide/
4. Provide a clear, concise description of the issue.
- For guidance, see: Working with IBM AIX Support: Describing the problem.
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.
- For guidance, see: Working with IBM AIX Support: Collecting snap data
|
[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzlAAA","label":"Security->Authentication"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]