| Oracle® Fusion Middleware Administrator's Guide for Oracle Authentication Services for Operating Systems 11g Release 1 (11.1.1) Part Number E16454-02 | 
 | 
| 
 | View PDF | 
You can use Oracle Authentication Services for Operating Systems to restrict which users can log into each host. For example, you can enforce rules like these:
user1 can only log into hostA.
user2 can only log into hostB.
user3 can log into hostA, hostB, and hostC.
To enforce rules like these, you must perform some configure tasks on both the Oracle Internet Directory server and all the client hosts where you want to restrict access. The setup procedure on the Oracle Internet Directory server is the same, regardless of the operating system. The setup instructions on the client host are operating system-specific.
This chapter includes the following topics:
Before you begin, ensure that Oracle Internet Directory is running and that Oracle Authentication Services for Operating Systems is working correctly. To configure the rules example at the beginning of this chapter, perform the following steps:
Index the host attribute so that it is searchable, by using the catalog command. Type:
catalog connect=connect string add=true attribute=host
Restart the Oracle Internet Directory server:
$ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=OID
Modify the entry for user1, adding the host attribute with value hostA:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E dn: uid=User1,ou=people,dc=us,dc=example,dc=com changetype: modify add: host host: hostA E
Modify the entry for user2, adding the host attribute with value hostB:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E dn: uid=user2,ou=people,dc=us,dc=example,dc=com changetype: modify add: host host: hostB E
Modify the entry for user3, adding the host attribute with value ALL:
$ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -q -h OID_host -p OID_port <<E dn: uid=user3,ou=people,dc=us,dc=example,dc=com changetype: modify add: host host: ALL E
To configure the rules example at the beginning of this chapter on Solaris 9 and 10 clients, perform the following steps.
On Solaris 9 clients, install operating system patch 112960-61 or later.
Configure SSL authentication between Oracle Internet Directory and the Solaris clients and verity that it is working correct.
On each client, make a backup copy of sslConfig_OIDclient.sh.
On each client, open sslConfig_OIDclient.sh in an editor and locate the following section:
/usr/sbin/ldapclient manual \
 -a defaultServerList=${oidServerHost} \
 -a defaultSearchBase=${realm} \
 -a authenticationMethod=none \
 -a credentialLevel=anonymous \
 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
 -a serviceSearchDescriptor=passwd:ou=people,${realm}?one \
 -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
 -a serviceSearchDescriptor=group:ou=group,${realm}?one
Locate the two instances of ldapclient commands like this, one for Solaris 10 and the other for Solaris 9. Identify the appropriate instance for your operating system version and edit that instance.
Make the following changes on hostA:
/usr/sbin/ldapclient manual \
 -a defaultServerList=${oidServerHost} \
 -a defaultSearchBase=${realm} \
 -a authenticationMethod=none \
 -a credentialLevel=anonymous \
 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
 -a  serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostA)(host=ALL))\
 -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
 -a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
 -a serviceSearchDescriptor=group:ou=group,${realm}?one
Make the following changes on hostB:
/usr/sbin/ldapclient manual \
 -a defaultServerList=${oidServerHost} \
 -a defaultSearchBase=${realm} \
 -a authenticationMethod=none \
 -a credentialLevel=anonymous \
 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
 -a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostB)(host=ALL)) \
 -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
 -a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
 -a serviceSearchDescriptor=group:ou=group,${realm}?one
Make the following changes on hostC:
/usr/sbin/ldapclient manual \
 -a defaultServerList=${oidServerHost} \
 -a defaultSearchBase=${realm} \
 -a authenticationMethod=none \
 -a credentialLevel=anonymous \
 -a serviceAuthenticationMethod=pam_ldap:tls:simple \
 -a serviceSearchDescriptor=passwd:ou=people,${realm}?one?(|(host=hostC)(host=ALL)) \
 -a serviceAuthenticationMethod=passwd-cmd:tls:simple \
 -a serviceSearchDescriptor=shadow:ou=people,${realm}?sub \
 -a serviceSearchDescriptor=group:ou=group,${realm}?one
Re-run sslConfig_OIDclient.sh on the client as root.
These changes to the ldapclient command restrict operating system login to those users who either have host=ALL or the host attribute value that matches the host name.
These procedures have been tested and certified with Red Hat Enterprise Linux 4.6 and 5.1, Oracle Enterprise Linux 5.0, and SuSE Linux Enterprise 9 and 10.
To configure the rules example at the beginning of this chapter, perform the following steps.
Configure SSL authentication between Oracle Internet Directory and the Linux clients and verity that it is working correctly.
On each client, make a copy of the file /etc/ldap.conf.
On each client, open /etc/ldap.conf in an editor and locate the pam_filter entry near the end of the file. It looks like this:
pam_filter objectclass=posixaccount
On hostA, change the entry to this:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostA))
On hostB, change the entry to this:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostB))
On hostC, change the entry to this:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostC))
The above pam_filter changes restrict operating system login to those users who either have host=ALL or the host attribute value matching the host name.
Optionally, you can use additional attributes in the filter condition specified in pam_filter. For example, most of the operating system user entries have a gidnumber attribute indicating which operating system group the user is in. You can add gidnumber to pam_filter so that you can open operating system access to certain groups. For example, you can open access to users who are in the group507 by specifying the following:
pam_filter &(objectclass=posixaccount)(|(host=ALL)(host=hostC)(gidnumber=507))
To configure the rules example at the beginning of this chapter, perform the following steps.
Configure SSL authentication between Oracle Internet Directory and the HP-UX clients and verity that it is working correctly.
Open sslConfig_OIDclient.sh in an editor and locate the following section:
version: 1
dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
defaultserverlist: ${oidServerHost}:636
authenticationmethod: tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
serviceauthenticationmethod: passwd-cmd:tls:simple
cn: ldapuxprofile
defaultsearchbase: ${realm}
credentiallevel: anonymous
servicesearchdescriptor: passwd:ou=people,${realm}?one
servicesearchdescriptor: group:ou=group,${realm}?one
objectclass: top
objectclass: duaconfigprofile
On hostA, make the following changes, keeping the order of the lines in the file exactly as shown:
version: 1
dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
defaultserverlist: ${oidServerHost}:636
authenticationmethod: tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
serviceauthenticationmethod: passwd-cmd:tls:simple
cn: ldapuxprofile
defaultsearchbase: ${realm}
credentiallevel: anonymous
servicesearchdescriptor:  passwd:ou=people,${realm}?one?(|(host=hostA)(host=ALL))
serviceSearchDescriptor: shadow:ou=people,${realm}?sub
servicesearchdescriptor: group:ou=group,${realm}?one
objectclass: top
objectclass: duaconfigprofile
On hostB, make the following changes, keeping the order of the lines in the file exactly as shown:
version: 1
dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
defaultserverlist: ${oidServerHost}:636
authenticationmethod: tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
serviceauthenticationmethod: passwd-cmd:tls:simple
cn: ldapuxprofile
defaultsearchbase: ${realm}
credentiallevel: anonymous
servicesearchdescriptor:
 passwd:ou=people,${realm}?one?(|(host=hostB)(host=ALL))
serviceSearchDescriptor: shadow:ou=people,${realm}?sub
servicesearchdescriptor: group:ou=group,${realm}?one
objectclass: top
objectclass: duaconfigprofile
On hostC, make the following changes, keeping the order of the lines in the file exactly as shown:
version: 1
dn: cn=ldapuxprofile,ou=ldapuxprofile,${realm}
defaultserverlist: ${oidServerHost}:636
authenticationmethod: tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
serviceauthenticationmethod: passwd-cmd:tls:simple
cn: ldapuxprofile
defaultsearchbase: ${realm}
credentiallevel: anonymous
servicesearchdescriptor:
 passwd:ou=people,${realm}?one?(|(host=hostC)(host=ALL))
serviceSearchDescriptor: shadow:ou=people,${realm}?sub
servicesearchdescriptor: group:ou=group,${realm}?one
objectclass: top
objectclass: duaconfigprofile
Re-run sslConfig_OIDclient.sh on the client as root.
These changes restrict operating system login to those users who either have host=ALL or the host attribute value matching the particular host name.