2.4.4 Defining Users (When Using the LDAP) [UNIX]

This section explains the managing user when using the OpenLDAP.

Beginning with, the user and the group managed by OpenLDAP are called LDAP user and LDAP group, respectively.

If you use the Extended User Management Function, you cannot use this LDAP function. Also, if the Systemwalker Centric Manager V15.3.0 or earlier is installed in the same server, you cannot use this LDAP function.

LDAP user/LDAP group

The available LDAP user and LDAP group are as below.

The string length and character type of user name and group name must be within available OS user and OS group.
The user and group of same with OS user and OS group are OS cannot exit.

Creating swadmin group on the OpenLDAP

When the user definition is enabled, if you use Systemwalker Operation Manager by the users registered in the OpenLDAP, you need to belong to the swadmin group. Also, if you use the user registered in the OpenLDAP from multiple Systemwalker Operation Manager environment, it is recommended to create swadmin group on the OpenLDAP and belong to it, donot to belong to the swadmin group in the each Systenwalker Operation Management environment.

For the detail, refer to the "2.4.5 Define User Restrictions"

Provides procedures for creating swadmin group on the OpenLDAP.

Systemwalker Operation Manager is not installed

Provides procedures for creating swadmin group on the OpenLDAP before Systemwalker Operation Manager is installed.

If the swadmin group exist in the installation environment of the Systemwalker Operation Manager, delete it.
Create swadmin group on the OpenLDAP.
In the installation environment of the Systemwalker Operation Manager, make sure the swadmin group on the OpenLDAP can see them by the "getent group" command.
Install the Systemwalker Operation Manager.
Add local user of OS and the user registered on the OpenLDAP to the swadmin group on the OpenLDAP.

Systemwalker Operation Manager is installed

Provides procedures for creating swadmin group on the OpenLDAP when Systemwalker Operation Manager is already installed.

Back up the Systemwalker Operation Manager.
Uninstall the Systemwalker Operation Manager.
In the above environment, delete swadmin group.
Create swadmin group on the OpenLDAP.
In the above environment, make sure the swadmin group on the OpenLDAP can see them by the "getent group" command.
Install the Systemwalker Operation Manager.
Restore the Systemwalker Operation Manager information that backed-up.
Change the group of output directory for the Audit log to the swadmin group on the OpenLDAP.
Start the Systemwalker Operation Manager.
Add local user of OS and the user registered on the OpenLDAP to the swadmin group on the OpenLDAP.

Information

Monitored host definitions when performing multi-server monitoring

If you use the SSSD(System Security Services Daemon), you can get the LDAP user/group by gentent command to specify "enumerate = True" in the sssd.conf. For the detail, refer to the OS manuals

Defining the PAM authentication

If you use the Systemwalker Operation Manager by the user of OpenLDAP management, you need to create settings file of the PAM authentication in advance. This setting allows the PAM authentication to be executed by the access privilege checking of the user.

Create /etc/pam.d/omgr_check_user file and describe the followings.

[Linux]

auth sufficient pam_sss.so
auth required pam_unix.so
account sufficient pam_sss.so
account required pam_unix.so

[Solris]

auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_ldap.so.1

account requisite pam_roles.so.1
account binding pam_unix_account.so.1 server_policy
account required pam_ldap.so.1

Set the permissions for the omgr_check_user file as below.

Owner	root
Group	root
Permissions	0644

If there are error settings, the user authentication fail to execute.

If there are no /etc/pam.d/omgr_check_user file, the PAM authentication is not executed.

Note

Solaris 11

In the Solaris 11, the "root" is default, not the "user account" but "role", so you cannot login to the system as root. If you connect to the each client (Note) of the Systemwalker Operation Manager, and each server of the Systemwalker Operation Manager from the Web console, you must execute rolemod command and change the root from the "role" to the "user account".

For the detail of rolemod command, refer to the following.

http://docs.oracle.com/cd/E26924_01/html/E25887/rbactask-4.html#rbactask-20

Note:

Systemwalker Operation Manager client/ Multiple monitoring client/ Print Jobscheduler Info clients/ Master Schedule Management environment setup client/ Master Schedule Management status monitoring client/ environment setup client

Using Systemwalker Operation Manager by the LDAP user

You can use the Systemwalker Operation Manager to login by the user of LDAP management.

Note

If you set /sbin/nologin to the login shell, it is not an authentication error.