On 10/5/06, Rozonkiewiecz, Mitchell P <[EMAIL PROTECTED]> wrote:
1. You do not have to add the user to Linux when configured properly.
we did not add it to /etc/passwd, it appeared there automagically.
this automagi function works well because access to directories and
files is handled the normal way by Linux.
2. You are correct that eTrust PAM r8 can only have 1 group attached to a user 
since that's all ACF2 currently allows.  To add more groups to a user, it must 
be done from Linux.  This is something we are looking to address in a future 
ACF2 release.
this is a big problem and I am not surprised by this typical CA answer
(next release).  But how can anybody work in a Linux environment on
which a user belongs to only one group?  having to go to each Linux
server to add users (via Yast) defeats the purpose of centralized
management, doesn't it?
3. I believe you meant to ask how to you perform authorization.  Unfortunately, 
this is a limit of PAM.  PAM performs autentication only and does not get 
invoked for authorization.  UNIX file attributes, rwxrwxrwx, are used to 
control file access after PAM authenticates the user id/pswd.
If /etc/passwd was not to contain the userid of the person that got
authorized via user-id/pswd, then that person would not be able to
access any file except for those with wide open access via OTHERS.

Please contact CA ACF2 support for any additional help or for any additional 
questions and we'd be glad to help you.
Will do.  I'll ask you two more questions in preparation.
In the IBM's RACF LDAP server solution, they can handle situations
when changes are made on the Linux guest instead of RACF (e.g.
adduser).  can you do so?
Second question, if I was to use the Linux distributed PAM client,
IBM's LDAP server, can I still get to ACF2? would I have the same
functionality as the RACF solution?  (I am cheating with an extra
question).

Mitch Rozonkiewiecz
Director, Development
CA

________________________________

From: Linux on 390 Port on behalf of Yu Safin
Sent: Thu 10/5/2006 3:16 PM
To: [email protected]
Subject: CA's PAM-Client and PAM-Server



We are doing a proof of concept using CA's pam-client, pam-server and ACF2.
The pam-client (we received the binaries from CA) was installed on our
Linux guest.
The pam-server was install under zOS as a started task (it is a USS service).
ACF2 was there already for zOS security.  We added the Linux segment to ACF2.
We have run into some issues that you might be able to help us with.
1) when we define a user on the ACF2 segment for Linux, we also seem
to need to have the same user on the Linux side in /etc/passwd.  This
is contrary to my understanding.
2) we can't seem find a way to define more than one group for the
user.  We have to go to the Linux guest to add groups and membships of
those groups.
3) we seem to be able to authenticate users during telnet/ssh sign ons
but how do we perform authentication?  I.e. how do I make sure that a
user does not execute or read files.  I would like to manage by
definining roles/groups and then making a user a member of one or more
groups.

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390




----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390


----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to