Using ADEdit with Classic Zones
IBM Securitysupports both classic and hierarchical zones. If you have upgraded agents to a version of IBM Securitysoftware that supports hierarchical zones (version 5.x or later), you can choose to either migrate your classic zones into a hierarchical zone structure or maintain them as classic zones.
If you choose to maintain any zones as classic zones, however, you should be aware that the authorization model in classic zones differs from the authorization model used in hierarchical zones. For example, in classic zones, authorization is an optional feature that can be enabled or disabled. If authorization is not enabled in a classic zone, any user with a valid profile in a zone is automatically granted login access to all computers joined to that zone.
Because authorization is handled differently in classic zones, there are specialized ADEdit commands and command options for creating and managing rights and roles in classic zones. The commands in this appendix are only applicable when you are working with classic zones.
Enabling Authorization in Classic Zones
The following ADEdit commands are used to enable or disable authorization in a classic zone and to check whether authorization is currently enabled or disabled.
Command | What it does |
---|---|
is_dz_enabled | Checks whether authorization is enabled in a currently selected classic zone. |
manage_dz | Enables or disables authorization in classic zones. |
Working with privileged Commands and PAM Applications
With some limitations, you can use most of the ADEdit commands for working with rights, role definitions, and role assignments in classic zones in the same way you work with them in hierarchical zones. In a classic zone, however, you must explicitly enable authorization for the zone. Thereafter, defining rights and roles or making role assignments work the same in classic zones and hierarchical zones.
In most cases, any differences or limitations for classic zones involve options or arguments that are not supported or not applicable in classic zones. For example, fields such as allowLocalUser
, alwaysPermitLogin
, and auditLevel
are not applicable in classic zones. You can use the set_role_field
command to set other field values in a classic zone. Individual commands specify these types of limitations.
Working with Restricted Shell Environments and Commands
Before you can use the restricted shell (dzsh) to run commands in a classic zone, you must create the restricted shell environment. After you have created the restricted shell environment in your working context, you can run restricted shell commands in that dzsh context.
Restricted commands cannot be assigned to a role directly. A restricted shell environment has to be created first. The restricted shell commands can then be created under the currently selected restricted shell environment. Only one restricted shell environment can be assigned to a role. The restricted shell environment and privileged UNIX commands cannot be assigned to a role simultaneously. Assigning a new restricted shell environment to a role removes all of the previously defined privileged UNIX commands from the restricted shell. Assigning new privileged commands to a role that previously had a restricted shell environment removes the restricted shell environment and any restricted shell commands defined for the restricted shell environment.
Setting up the restricted shell environment
The following ADEdit commands are used to set up and manage the restricted shell environment prior to working with any restricted shell commands.
Command | What it does |
---|---|
clear_rs_env_from_role | Removes the restricted shell environment from the currently selected role that is stored in memory. |
delete_rs_env | Deletes the currently selected restricted environment from Active Directory and also from memory. |
get_role_rs_env | Gets the restricted shell environment from the currently selected role that is stored in memory. |
get_rs_envs | Gets the list of restricted environments that are defined within the currently selected zone. |
get_rse_cmds | Gets a Tcl list of restricted shell commands associated with the currently selected restricted shell environment. |
get_rse_field | Gets the value for a specified field from the restricted shell environment stored that is stored in memory. |
list_rs_envs | Prints a list of restricted shell environments defined for the currently selected zone to stdout. |
new_rs_env | Creates a new restricted shell environment for the current zone, stores it in memory, and sets it to be the currently selected restricted shell environment. |
save_rs_env | Saves the currently selected restricted environment that is stored in memory to Active Directory. |
select_rs_env | Retrieves a restricted shell environment for the currently selected zone from Active Directory, stores it in memory, and sets it to be the currently selected restricted shell environment for other ADEdit commands. |
set_rs_env_for_role | Assigns a restricted shell environment to the currently selected role that is stored in memory. |
set_rse_field | Sets the value for a specified field in the currently selected restricted shell environment stored in memory. |
Using restricted commands
The following ADEdit commands are used to set up and manage the restricted shell restricted shell commands.
Command | What it does |
---|---|
delete_rs_command | Deletes the currently selected restricted shell command from Active Directory and from memory. |
get_role_rs_commands | Returns a Tcl list of restricted shell commands associated with the currently selected role. |
get_rs_commands | Checks Active Directory and returns a Tcl list of restricted shell commands defined for the currently selected zone. |
get_rsc_field | Gets the value for a specified field from the currently selected restricted shell command that is stored in memory. |
list_rs_commands | Prints a list of restricted shell commands defined for the currently selected zone to stdout. |
new_rs_command | Creates a new restricted shell command under the currently selected restricted shell environment, stores it in memory, and sets it to be the currently selected restricted shell command. |
save_rs_command | Saves the currently selected restricted shell command that is stored in memory to Active Directory. |
select_rs_command | Retrieves a restricted shell command in the currently selected zone from Active Directory, stores it in memory, and sets it to be the currently selected restricted shell command for other ADEdit commands. |
set_rsc_field | Sets the value for a specified field for the currently selected restricted shell command that is stored in memory. |
Creating computer-level role assignments in classic zones
Classic zones support computer-level role assignments. If you want to configure computerlevel role assignments, keep the following in mind:
- The classic zone that the computer is a member of must have authorization enabled before you can create role definitions and role assignments.
- The role assignment is only valid on the computer where you have made the assignment.
- The role definition you use must be defined in the classic zone that the computer is a member of.
A computer-level role assignment in a classic zone is similar to computer-level overrides in hierarchical zones, except that you cannot save user or group profile information for individual computers. User and group information is stored in the classic zone. To enable computer-specific role assignments in classic zones, you must use a specialized zone type, the classic-computer
zone type.
To create a computer-level role assignment in a classic zone:
- Precreate the computer in a classic4 zone, if it doesn’t already exist.
- Create a zone that uses the specialized zone type of
classic-computer
. - Select the
classic-computer
zone within the classic zone. - Create the role assignment.
The following code snippet illustrates the commands to execute in ADEdit to make computer-specific role assignments in classic zones:
bind ajuba.net
package require ade_lib
1.0
select_zone cn=cls,cn=zones,dc=ajuba,dc=net
get_zone_field type
classic4
precreate_computer rhelqa$@ajuba.net
get_zone_computers
{comp5$@ajuba.net} {rhelqa$@ajuba.net}
create_zone classic-computer rhelqa.ajuba.net@cn=cls,cn=zones,dc=ajuba,dc=net
select_zone rhelqa.ajuba.net@cn=cls,cn=zones,dc=ajuba,dc=net
new_role_assignment user5@ajuba.net
set_role_assignment_field role role1/cls
save_role_assignment
You can then get the classic-computer zones by running the get_child_zones
command when the classic zone is selected. For example:
select_zone cn=cls,cn=zones,dc=ajuba,dc=net
get_child_zones
helqa.ajuba.net@CN=c122,CN=Zones,DC=ajuba,DC=net
comp5.ajuba.net@CN=c122,CN=Zones,DC=ajuba,DC=net