Setting extended attributes

AIX provides extended user and group attributes that enable administrators to specify user or group characteristics, such as the ability to login remotely to a user account, use the system resource controller (SRC) to execute programs, and so on. You can define these attributes for specific users and groups or for all user and group accounts on a local computer by editing specific configuration files such as /etc/security/user, /etc/security/group, and /etc/security/limits. The specific extended attributes available depend on the version of AIX you are using. For information about the extended attributes available for users and groups, see the AIX documentation for the security configuration files.

You can centralize administration of AIX computers by setting extended attributes for individual AIX users and groups in Active Directory. You can also set configuration parameters to set default extended attribute values for all Active Directory users or groups on a particular AIX computer.

Certain extended attributes, such as the system privileges, or capabilities attributes, are only supported by methods in the Loadable Authentication Module (LAM) version 5.2 or later.

The agent configuration file can include AIX configuration parameters that correspond to AIX extended attributes. For example:

AIX attribute Parameter
admin aix.user.attr.admin
daemon aix.user.attr.daemon
rlogin aix.user.attr.rlogin
su aix.user.attr.su

Each configuration parameter has a hard-coded default value. You can edit the centrifydc.conf configuration file on any computer to change its default value. You should note that changes you make in the centrifydc.conf file only affect Active Directory users and groups. The settings do not affect local users or groups. Local users and groups get their extended attributes from the settings in the AIX configuration files, such as /etc/security/user and /etc/security/limits.

Enforcing access rights on AIX computers

If you are using the AIX Loadable Authentication Module (LAM), users who do not have the PAM login-all right can still log in. For example, an Active Directory user joined to the zone with the AIX computer and assigned to a role that does NOT include the login-all right can, in fact, log in to the AIX servers using the LAM interface. This is because the LAM interface does not use the rights defined in the user’s Delinea role to control access. If the same server is configured with the PAM authentication module, that user would not be able to log in.

To control user log in activity, you have two choices:

  • Keep the LAM interface and use one of the following PAM configuration parameters to define who has or does not have access:

    • pam.allow.groups: This configuration parameter specifies the groups allowed to access PAM-enabled applications.

    • pam.allow.users: This configuration parameter specifies the users who are allowed to access PAM-enabled applications.

    • pam.deny.groups: This configuration parameter specifies the groups that should be denied access to PAM-enabled applications.

    • pam.deny.users: This configuration parameter specifies the users that should be denied access to PAM-enabled applications.

  • Replace the LAM interface with PAM. See the IBM AIX documentationfor the instructions. The conversion procedure is fairly simple, however,you should test all applications on the server to ensure that they work thesame with PAM. In addition, if you are using Delinea OpenSSH there are twoversions: one for LAM and one for PAM. Both a LAM and PAM versions aredistributed in the package. If you convert to PAM, uninstall the LAM version and install the PAM version.

Setting extended attributes

To set an extended attribute for an individual user, you can use adedit commands.

For example, to set the value of the extended attributes aix.ttys and aix.rlogin for the user joe, you might run commands similar to the following after binding to a domain and selecting a zone:

select_zone_user joe@ajax.acme.test
set_zone_user_field aix.ttys r1,r2,r3
set_zone_user_field aix.rlogin true

To verify the value of the extended attributes you have set, you might run commands similar to the following:

get_zone_user_field aix.ttys
r1,r2,r3
save_zone_user

You can also use adedit abbreviations to set and get extended attribute values. For example:

slzu joe@ajax.acme.test
szuf aix.fsize 209715
szuf aix.core 2097151
szuf aix.cpu -1
szuf aix.data 262144

Alternatively, you can also use configuration parameters to supplement the settings in the AIX /etc/security/user file. For example, if you have not explicitly defined the aix.rlogin attribute in /etc/security/user, you can set the following parameter in the centrifydc.conf file:

aix.user.attr.rlogin: false

You can use adquery and the keyword help to view a list of the supported extended attributes. For example:

adquery user --extattr help