[Freeipa-users] Need help with Solaris Host Based access control
Dmitri Pal
dpal at redhat.com
Wed Nov 5 20:49:07 UTC 2008
Hello,
As a part of the IPA client configuration in IPA v1.x we allow
implementing host based access control.
We provide the instructions on how to configure client (actually PAM and
NSS) to allow or deny user access to a host based on the information in
the IPA back end.
The example of such instructions for Linux is:
You can configure Linux to allow or deny access to IPA resources and
services based on the configuration of the host from which access is
attempted. This requires modification to the |/etc/security/access.conf|
and |/etc/pam.d/system-auth| files, as described below.
1.
Modify the |/etc/security/access.conf| file to include the
following lines:
+ : root : ALL
+ : ipausers : ALL
- : ALL : ALL
2.
Modify the |/etc/pam.d/system-auth| file to include the following
line:
account required pam_access.so
This configuration specifies that:
*
The |root| user can log in.
*
All members of the |ipausers| group can log in.
*
IPA administrators can not log in (because the |admin| account is
not a member of the |ipausers| group).
=========
The instructions are based on the ability of the pam_access PAM module
to check the access control rules specified in the access.conf.
The group information can be retrieved from the IPA server via nss_ldap.
We tried to find similar functionality on other OS's. We spotted PAM
modules on HP-UX and AIX that are responsible for the similar
authorization checks.
But we are stuck with Solaris. All our investigations about similar
functionality in Solaris bear no fruits. We saw pam_roles and
pam_unix_account on Solaris but they do not seem to accomplish what we
are trying to do.
We are looking for some help and advice from Solaris experts on this
functionality.
Thank you,
Dmitri
More information about the Freeipa-users
mailing list