Proxy User Object Creation

The Proxy User Object is manipulated using the proxyuser subcommand of ssadm edit. proxyuser takes one of the following as commands:

• add "name" item... -- Creates or overwrites an object; takes a complete (perhaps initial, in the case of GROUP) description of the object, beginning with its name, followed by desired items, as defined above.

• delete "name" -- deletes a named object.

• addmember "grpname" "memname" -- adds a member to an existing GROUP object; duplicate addmember operations are ignored.

• deletemember "grpname" "memname" -- deletes a member from an existing GROUP object; attempting to remove an unknown member is ignored.

• print[,sortopt] ["name"] -- Display one or more objects; if an object name as given, then only that objects definition is displayed; otherwise, all Proxy User objects are displayed.

sortopt can be:

• asc ascending order by name (case-sensitive)

• desc descending order by name (case-sensitive)

• iasc ascending order by name (case-insensitive)

• idesc descending order by name (case-insensitive)

• raw order stored in database

• default is asc

names [,sortopt] -- display the names of all objects sortopt can be:

• asc ascending order by name (case-sensitive)

• dess descending order by name (case-sensitive)

• iasc ascending order by name (case-insensitive)

• idesc descending order by name (case-insensitive)

• raw order stored in database

• default is asc.

The following is an example of what you type to display existing Proxy User objects, while logged into the primary Screen:

admin% ssadm -r primary edit Initialedit> proxyuser print jdh"jdh" ENABLED
SIMPLE AUTH_USER_NAME="jeff.hogg" BACKEND_USER_NAME="jeffh" DESCRIPTION="Jeff
Hogg as self on Solaris"

edit> proxyuser print proxyusers"proxyusers" ENABLED
GROUP MEMBER_NAME="radius" MEMBER_NAME="jdh" DESCRIPTION="users
allowed through FTP and telnet proxies"

The following is an example of what you type to create the above SIMPLE Proxy User object, while logged into the primary Screen:

admin% ssadm -r primary edit Initialedit> proxyuser add jdh auth_user_name=jeff.hogg backend_user_name=jeffh description="Jeff Hogg as self on Solaris"edit> quit

The following is an example of what you type to create the above GROUP Proxy User object, while logged into the primary Screen, first create the initial group with no members:

admin% ssadm -r primary edit Initialedit> proxyuser add proxyusers group description="users allowed through FTP and telnet proxies"

This above empty group creation demonstrates a case where the GROUP type cannot be deduced from the other tags, since description= is a tag common to all Proxy User object types.

Next, is an example of what you type to add the members of the example GROUP:

edit> proxyuser addmember proxyusers radiusedit> proxyuser addmember proxyusers jdh

Member names are stored in the order in which you add them to GROUP objects. The order is unimportant to authentication processing. This example also uses a SPECIAL object radius that is defined during initial installation.

It is not necessary to type save before quit above if only authuser, proxyuser, logmacro, or vars entities have been altered.

If you attempt to save without changing entities other than these types, you are reminded by a message:

edit> savelock not held

failed (status 244)

This is a non-fatal message in this situation; you can simply quit the configuration editor at this point.

See Chapter 3, "Administration Graphical User Interface Reference" for more information regarding which common objects do not require the use of save.

Once changes have been made to Proxy User objects, the system configuration must be (re)activated to install the new objects and to propagate these changes to secondary Screens.

In each of the above add operations, the enablement items have been allowed to default to enabled.

The following is an example of what you type to remove a member reference from a GROUP Proxy User object, while logged into the primary Screen:

admin% ssadm -r primary edit Initialedit> proxyuser deletemember proxyusers radiusedit> proxyuser print proxyusers "proxyusers" ENABLED GROUP MEMBER_NAME="jdh" DESCRIPTION="users allowed through FTP and telnet proxies"

The following is an example of what you type to display all Proxy User objects, while logged into the primary Screen:

admin% ssadm -r primary edit Initialedit> proxyuser print"admin" ENABLED
SIMPLE AUTH_USER_NAME="admin" DESCRIPTION="initial
SunScreen administrator" 

"admin-group" ENABLED GROUP MEMBER_NAME="admin" DESCRIPTION="SunScreen
administrators" 

"anonymous" ENABLED SIMPLE BACKEND_USER_NAME="anonymous" DESCRIPTION="unauthenticated
user, for anonymous FTP, etc." 

"ftp" ENABLED SIMPLE BACKEND_USER_NAME="anonymous" DESCRIPTION="unauthenticated
user, for anonymous FTP, etc." 

"jdh" ENABLED SIMPLE AUTH_USER_NAME="jeff.hogg" BACKEND_USER_NAME="jeffh"
DESCRIPTION="Jeff Hogg as self on Solaris" 

"proxyusers" ENABLED GROUP MEMBER_NAME="radius" MEMBER_NAME="jdh" DESCRIPTION="users
allowed through FTP and telnet proxies"

"radius" ENABLED SIMPLE RADIUS DESCRIPTION="default, external, non-specific
RADIUS proxy_user" 

"securid" ENABLED SIMPLE SECURID DESCRIPTION="default, external, non-specific
SecurID proxy_user" 

The following is an example of what you type to display the names of all Proxy User objects, while logged into the primary Screen:

admin% ssadm -r primary edit Initialedit> proxyuser names,raw"admin"

"admin-group" 

"anonymous"

"ftp"

"radius"

"securid"

"jdh"

"proxyusers"