You can use Oracle Authentication Services for Operating Systems to restrict which users can log into each host. For example, you can enforce rules like these:
user1
can only log into hostA
.
user2
can only log into hostB
.
user3
can log into hostA
, hostB
, and hostC
.
To enforce rules like these, you must perform some configure tasks on both the Oracle Internet Directory server and all the client hosts where you want to restrict access. The setup procedure on the Oracle Internet Directory server is the same, regardless of the operating system. The setup instructions on the client host are operating system-specific.
This chapter includes the following topics:
Before you begin, ensure that Oracle Internet Directory is running and that Oracle Authentication Services for Operating Systems is working correctly. To configure the rules example at the beginning of this chapter, perform the following steps:
Index the host
attribute so that it is searchable, by using the catalog
command. Type:
catalog connect=connect string add=true attribute=host
Restart the Oracle Internet Directory server:
$ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=OID
Modify the entry for user1
, adding the host
attribute with value hostA
:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E dn: uid=User1,ou=people,dc=us,dc=example,dc=com changetype: modify add: host host: hostA E
Modify the entry for user2
, adding the host
attribute with value hostB
:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E dn: uid=user2,ou=people,dc=us,dc=example,dc=com changetype: modify add: host host: hostB E
Modify the entry for user3
, adding the host
attribute with value ALL
:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E dn: uid=user3,ou=people,dc=us,dc=example,dc=com changetype: modify add: host host: ALL E
To configure the rules example at the beginning of this chapter on Solaris 9 and 10 clients, perform the following steps.
On Solaris 9 clients, install operating system patch 112960-61
or later.
Configure SSL authentication between Oracle Internet Directory and the Solaris clients and verity that it is working correct.
On each client, make a backup copy of sslConfig_OIDclient.sh
.
On each client, open sslConfig_OIDclient.sh
in an editor and locate the following section:
/usr/sbin/ldapclient manual \ -a defaultServerList=${oidServerHost} \ -a defaultSearchBase=${realm} \ -a authenticationMethod=none \ -a credentialLevel=anonymous \ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a serviceSearchDescriptor=passwd:ou=people,${realm}?one \ -a serviceAuthenticationMethod=passwd-cmd:tls:simple \ -a serviceSearchDescriptor=group:ou=group,${realm}?one
Locate the two instances of ldapclient
commands like this, one for Solaris 10 and the other for Solaris 9. Identify the appropriate instance for your operating system version and edit that instance.
Make the following changes on hostA
:
/usr/sbin/ldapclient manual \
-a defaultServerList=${oidServerHost} \
-a defaultSearchBase=${realm} \
-a authenticationMethod=none \
-a credentialLevel=anonymous \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostA)(host=ALL))\
-a serviceAuthenticationMethod=passwd-cmd:tls:simple \
-a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
-a serviceSearchDescriptor=group:ou=group,${realm}?one
Make the following changes on hostB
:
/usr/sbin/ldapclient manual \
-a defaultServerList=${oidServerHost} \
-a defaultSearchBase=${realm} \
-a authenticationMethod=none \
-a credentialLevel=anonymous \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostB)(host=ALL)) \
-a serviceAuthenticationMethod=passwd-cmd:tls:simple \
-a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
-a serviceSearchDescriptor=group:ou=group,${realm}?one
Make the following changes on hostC
:
/usr/sbin/ldapclient manual \
-a defaultServerList=${oidServerHost} \
-a defaultSearchBase=${realm} \
-a authenticationMethod=none \
-a credentialLevel=anonymous \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostC)(host=ALL)) \
-a serviceAuthenticationMethod=passwd-cmd:tls:simple \
-a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
-a serviceSearchDescriptor=group:ou=group,${realm}?one
Re-run sslConfig_OIDclient.sh
on the client as root
.
These changes to the ldapclient
command restrict operating system login to those users who either have host=ALL
or the host
attribute value that matches the host name.
These procedures have been tested and certified with Red Hat Enterprise Linux 4.6 and 5.1, Oracle Enterprise Linux 5.0, and SuSE Linux Enterprise 9 and 10.
To configure the rules example at the beginning of this chapter, perform the following steps.
Configure SSL authentication between Oracle Internet Directory and the Linux clients and verity that it is working correctly.
On each client, make a copy of the file /etc/ldap.conf
.
On each client, open /etc/ldap.conf
in an editor and locate the pam_filter
entry near the end of the file. It looks like this:
pam_filter objectclass=posixaccount
On hostA
, change the entry to this:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostA))
On hostB
, change the entry to this:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostB))
On hostC
, change the entry to this:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostC))
The above pam_filter
changes restrict operating system login to those users who either have host=ALL
or the host
attribute value matching the host name.
Optionally, you can use additional attributes in the filter condition specified in pam_filter
. For example, most of the operating system user entries have a gidnumber
attribute indicating which operating system group the user is in. You can add gidnumber
to pam_filter
so that you can open operating system access to certain groups. For example, you can open access to users who are in the group507
by specifying the following:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostC)(gidnumber=507))
To configure the rules example at the beginning of this chapter, perform the following steps.
Configure SSL authentication between Oracle Internet Directory and the HP-UX clients and verity that it is working correctly.
Open sslConfig_OIDclient.sh
in an editor and locate the following section:
version: 1 dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm} defaultserverlist: ${oidServerHost}:636 authenticationmethod: tls:simple serviceauthenticationmethod: pam_ldap:tls:simple serviceauthenticationmethod: passwd-cmd:tls:simple cn: ldapuxprofile defaultsearchbase: ${realm} credentiallevel: anonymous servicesearchdescriptor: passwd:ou=people,${realm}?one servicesearchdescriptor: group:ou=group,${realm}?one objectclass: top objectclass: duaconfigprofile
On hostA
, make the following changes, keeping the order of the lines in the file exactly as shown:
version: 1 dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm} defaultserverlist: ${oidServerHost}:636 authenticationmethod: tls:simple serviceauthenticationmethod: pam_ldap:tls:simple serviceauthenticationmethod: passwd-cmd:tls:simple cn: ldapuxprofile defaultsearchbase: ${realm} credentiallevel: anonymous servicesearchdescriptor: passwd:ou=people,${realm}?one?(|(host=hostA)(host=ALL)) serviceSearchDescriptor: shadow:ou=people,${realm}?sub servicesearchdescriptor: group:ou=group,${realm}?one objectclass: top objectclass: duaconfigprofile
On hostB
, make the following changes, keeping the order of the lines in the file exactly as shown:
version: 1 dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm} defaultserverlist: ${oidServerHost}:636 authenticationmethod: tls:simple serviceauthenticationmethod: pam_ldap:tls:simple serviceauthenticationmethod: passwd-cmd:tls:simple cn: ldapuxprofile defaultsearchbase: ${realm} credentiallevel: anonymous servicesearchdescriptor: passwd:ou=people,${realm}?one?(|(host=hostB)(host=ALL)) serviceSearchDescriptor: shadow:ou=people,${realm}?sub servicesearchdescriptor: group:ou=group,${realm}?one objectclass: top objectclass: duaconfigprofile
On hostC, make the following changes, keeping the order of the lines in the file exactly as shown:
version: 1 dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm} defaultserverlist: ${oidServerHost}:636 authenticationmethod: tls:simple serviceauthenticationmethod: pam_ldap:tls:simple serviceauthenticationmethod: passwd-cmd:tls:simple cn: ldapuxprofile defaultsearchbase: ${realm} credentiallevel: anonymous servicesearchdescriptor: passwd:ou=people,${realm}?one?(|(host=hostC)(host=ALL)) serviceSearchDescriptor: shadow:ou=people,${realm}?sub servicesearchdescriptor: group:ou=group,${realm}?one objectclass: top objectclass: duaconfigprofile
Re-run sslConfig_OIDclient.sh
on the client as root
.
These changes restrict operating system login to those users who either have host=ALL
or the host
attribute value matching the particular host name.