7 Restricting User Logins

You can use Oracle Authentication Services for Operating Systems to restrict which users can log into each host. For example, you can enforce rules like these:

• user1 can only log into hostA.

• user2 can only log into hostB.

• user3 can log into hostA, hostB, and hostC.

To enforce rules like these, you must perform some configure tasks on both the Oracle Internet Directory server and all the client hosts where you want to restrict access. The setup procedure on the Oracle Internet Directory server is the same, regardless of the operating system. The setup instructions on the client host are operating system-specific.

This chapter includes the following topics:

• Oracle Internet Directory Server Setup

• Solaris 9 and 10 Client Setup

• Linux Client Setup

• HP-UX 11.23 Client Setup

7.1 Oracle Internet Directory Server Setup

Before you begin, ensure that Oracle Internet Directory is running and that Oracle Authentication Services for Operating Systems is working correctly. To configure the rules example at the beginning of this chapter, perform the following steps:

1. Index the host attribute so that it is searchable, by using the catalog command. Type:

   catalog connect=connect string add=true attribute=host
   

2. Restart the Oracle Internet Directory server:

   $ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=OID
   

3. Modify the entry for user1, adding the host attribute with value hostA:

   $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E
   dn: uid=User1,ou=people,dc=us,dc=example,dc=com
   changetype: modify
   add: host
   host: hostA
   E
   

4. Modify the entry for user2, adding the host attribute with value hostB:

   $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E
   dn: uid=user2,ou=people,dc=us,dc=example,dc=com
   changetype: modify
   add: host
   host: hostB
   E
   

5. Modify the entry for user3, adding the host attribute with value ALL:

   $ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E
   dn: uid=user3,ou=people,dc=us,dc=example,dc=com
   changetype: modify
   add: host
   host: ALL
   E
   

7.2 Solaris 9 and 10 Client Setup

To configure the rules example at the beginning of this chapter on Solaris 9 and 10 clients, perform the following steps.

1. On Solaris 9 clients, install operating system patch 112960-61 or later.

2. Configure SSL authentication between Oracle Internet Directory and the Solaris clients and verity that it is working correct.

3. On each client, make a backup copy of sslConfig_OIDclient.sh.

4. On each client, open sslConfig_OIDclient.sh in an editor and locate the following section:

   /usr/sbin/ldapclient manual \
    -a defaultServerList=${oidServerHost} \
    -a defaultSearchBase=${realm} \
    -a authenticationMethod=none \
    -a credentialLevel=anonymous \
    -a serviceAuthenticationMethod=pam_ldap:tls:simple \
    -a serviceSearchDescriptor=passwd:ou=people,${realm}?one \
    -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
    -a serviceSearchDescriptor=group:ou=group,${realm}?one
   

   Locate the two instances of ldapclient commands like this, one for Solaris 10 and the other for Solaris 9. Identify the appropriate instance for your operating system version and edit that instance.

5. Make the following changes on hostA:

   /usr/sbin/ldapclient manual \
    -a defaultServerList=${oidServerHost} \
    -a defaultSearchBase=${realm} \
    -a authenticationMethod=none \
    -a credentialLevel=anonymous \
    -a serviceAuthenticationMethod=pam_ldap:tls:simple \
    -a  serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostA)(host=ALL))\
    -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
    -a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
    -a serviceSearchDescriptor=group:ou=group,${realm}?one
   

6. Make the following changes on hostB:

   /usr/sbin/ldapclient manual \
    -a defaultServerList=${oidServerHost} \
    -a defaultSearchBase=${realm} \
    -a authenticationMethod=none \
    -a credentialLevel=anonymous \
    -a serviceAuthenticationMethod=pam_ldap:tls:simple \
    -a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostB)(host=ALL)) \
    -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
    -a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
    -a serviceSearchDescriptor=group:ou=group,${realm}?one
   

7. Make the following changes on hostC:

   /usr/sbin/ldapclient manual \
    -a defaultServerList=${oidServerHost} \
    -a defaultSearchBase=${realm} \
    -a authenticationMethod=none \
    -a credentialLevel=anonymous \
    -a serviceAuthenticationMethod=pam_ldap:tls:simple \
    -a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostC)(host=ALL)) \
    -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
    -a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
    -a serviceSearchDescriptor=group:ou=group,${realm}?one
   

8. Re-run sslConfig_OIDclient.sh on the client as root.

These changes to the ldapclient command restrict operating system login to those users who either have host=ALL or the host attribute value that matches the host name.

7.3 Linux Client Setup

These procedures have been tested and certified with Red Hat Enterprise Linux 4.6 and 5.1, Oracle Enterprise Linux 5.0, and SuSE Linux Enterprise 9 and 10.

To configure the rules example at the beginning of this chapter, perform the following steps.

1. Configure SSL authentication between Oracle Internet Directory and the Linux clients and verity that it is working correctly.

2. On each client, make a copy of the file /etc/ldap.conf.

3. On each client, open /etc/ldap.conf in an editor and locate the pam_filter entry near the end of the file. It looks like this:

   pam_filter objectclass=posixaccount
   

4. On hostA, change the entry to this:

   pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostA))
   

5. On hostB, change the entry to this:

   pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostB))
   

6. On hostC, change the entry to this:

   pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostC))
   

The above pam_filter changes restrict operating system login to those users who either have host=ALL or the host attribute value matching the host name.

Optionally, you can use additional attributes in the filter condition specified in pam_filter. For example, most of the operating system user entries have a gidnumber attribute indicating which operating system group the user is in. You can add gidnumber to pam_filter so that you can open operating system access to certain groups. For example, you can open access to users who are in the group507 by specifying the following:

pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostC)(gidnumber=507))

7.4 HP-UX 11.23 Client Setup

To configure the rules example at the beginning of this chapter, perform the following steps.

1. Configure SSL authentication between Oracle Internet Directory and the HP-UX clients and verity that it is working correctly.

2. Open sslConfig_OIDclient.sh in an editor and locate the following section:

   version: 1
   dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
   defaultserverlist: ${oidServerHost}:636
   authenticationmethod: tls:simple
   serviceauthenticationmethod: pam_ldap:tls:simple
   serviceauthenticationmethod: passwd-cmd:tls:simple
   cn: ldapuxprofile
   defaultsearchbase: ${realm}
   credentiallevel: anonymous
   servicesearchdescriptor: passwd:ou=people,${realm}?one
   servicesearchdescriptor: group:ou=group,${realm}?one
   objectclass: top
   objectclass: duaconfigprofile
   

3. On hostA, make the following changes, keeping the order of the lines in the file exactly as shown:

   version: 1
   dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
   defaultserverlist: ${oidServerHost}:636
   authenticationmethod: tls:simple
   serviceauthenticationmethod: pam_ldap:tls:simple
   serviceauthenticationmethod: passwd-cmd:tls:simple
   cn: ldapuxprofile
   defaultsearchbase: ${realm}
   credentiallevel: anonymous
   servicesearchdescriptor:  passwd:ou=people,${realm}?one?(|(host=hostA)(host=ALL))
   serviceSearchDescriptor: shadow:ou=people,${realm}?sub
   servicesearchdescriptor: group:ou=group,${realm}?one
   objectclass: top
   objectclass: duaconfigprofile
   

4. On hostB, make the following changes, keeping the order of the lines in the file exactly as shown:

   version: 1
   dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
   defaultserverlist: ${oidServerHost}:636
   authenticationmethod: tls:simple
   serviceauthenticationmethod: pam_ldap:tls:simple
   serviceauthenticationmethod: passwd-cmd:tls:simple
   cn: ldapuxprofile
   defaultsearchbase: ${realm}
   credentiallevel: anonymous
   servicesearchdescriptor:
    passwd:ou=people,${realm}?one?(|(host=hostB)(host=ALL))
   serviceSearchDescriptor: shadow:ou=people,${realm}?sub
   servicesearchdescriptor: group:ou=group,${realm}?one
   objectclass: top
   objectclass: duaconfigprofile
   

5. On hostC, make the following changes, keeping the order of the lines in the file exactly as shown:

   version: 1
   dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
   defaultserverlist: ${oidServerHost}:636
   authenticationmethod: tls:simple
   serviceauthenticationmethod: pam_ldap:tls:simple
   serviceauthenticationmethod: passwd-cmd:tls:simple
   cn: ldapuxprofile
   defaultsearchbase: ${realm}
   credentiallevel: anonymous
   servicesearchdescriptor:
    passwd:ou=people,${realm}?one?(|(host=hostC)(host=ALL))
   serviceSearchDescriptor: shadow:ou=people,${realm}?sub
   servicesearchdescriptor: group:ou=group,${realm}?one
   objectclass: top
   objectclass: duaconfigprofile
   

6. Re-run sslConfig_OIDclient.sh on the client as root.

These changes restrict operating system login to those users who either have host=ALL or the host attribute value matching the particular host name.