[Freeipa-users] Need help with Solaris Host Based access control

Dmitri Pal dpal at redhat.com
Wed Nov 5 20:49:07 UTC 2008


Hello,

As a part of the IPA client configuration in IPA v1.x we allow 
implementing host based access control.
We provide the instructions on how to configure client (actually PAM and 
NSS) to allow or deny user access to a host based on the information in 
the IPA back end.

The example of such instructions for Linux is:

You can configure Linux to allow or deny access to IPA resources and 
services based on the configuration of the host from which access is 
attempted. This requires modification to the |/etc/security/access.conf| 
and |/etc/pam.d/system-auth| files, as described below.

   1.

      Modify the |/etc/security/access.conf| file to include the
      following lines:

      + : root : ALL
      + : ipausers : ALL
      - : ALL : ALL
          

   2.

      Modify the |/etc/pam.d/system-auth| file to include the following
      line:

      account required pam_access.so
          

This configuration specifies that:

    *

      The |root| user can log in.

    *

      All members of the |ipausers| group can log in.

    *

      IPA administrators can not log in (because the |admin| account is
      not a member of the |ipausers| group).


=========

The instructions are based on the ability of the pam_access PAM module 
to check the access control rules specified in the access.conf.
The group information can be retrieved from the IPA server via nss_ldap.

We tried to find similar functionality on other OS's. We spotted PAM 
modules on HP-UX and AIX that are responsible for the similar 
authorization checks.

But we are stuck with Solaris. All our investigations about similar 
functionality in Solaris bear no fruits.  We saw pam_roles and 
pam_unix_account on Solaris but they do not seem to accomplish what we 
are trying to do.

We are looking for some help and advice from Solaris experts on this 
functionality.

Thank you,
Dmitri





More information about the Freeipa-users mailing list