Using ADEdit with Classic Zones

IBM Securitysupports both classic and hierarchical zones. If you have upgraded agents to a version of IBM Securitysoftware that supports hierarchical zones (version 5.x or later), you can choose to either migrate your classic zones into a hierarchical zone structure or maintain them as classic zones.

If you choose to maintain any zones as classic zones, however, you should be aware that the authorization model in classic zones differs from the authorization model used in hierarchical zones. For example, in classic zones, authorization is an optional feature that can be enabled or disabled. If authorization is not enabled in a classic zone, any user with a valid profile in a zone is automatically granted login access to all computers joined to that zone.

Because authorization is handled differently in classic zones, there are specialized ADEdit commands and command options for creating and managing rights and roles in classic zones. The commands in this appendix are only applicable when you are working with classic zones.

Enabling Authorization in Classic Zones

The following ADEdit commands are used to enable or disable authorization in a classic zone and to check whether authorization is currently enabled or disabled.

Command What it does
is_dz_enabled Checks whether authorization is enabled in a currently selected classic zone.
manage_dz Enables or disables authorization in classic zones.

Working with privileged Commands and PAM Applications

With some limitations, you can use most of the ADEdit commands for working with rights, role definitions, and role assignments in classic zones in the same way you work with them in hierarchical zones. In a classic zone, however, you must explicitly enable authorization for the zone. Thereafter, defining rights and roles or making role assignments work the same in classic zones and hierarchical zones.

In most cases, any differences or limitations for classic zones involve options or arguments that are not supported or not applicable in classic zones. For example, fields such as allowLocalUser, alwaysPermitLogin, and auditLevel are not applicable in classic zones. You can use the set_role_field command to set other field values in a classic zone. Individual commands specify these types of limitations.

Working with Restricted Shell Environments and Commands

Before you can use the restricted shell (dzsh) to run commands in a classic zone, you must create the restricted shell environment. After you have created the restricted shell environment in your working context, you can run restricted shell commands in that dzsh context.

Restricted commands cannot be assigned to a role directly. A restricted shell environment has to be created first. The restricted shell commands can then be created under the currently selected restricted shell environment. Only one restricted shell environment can be assigned to a role. The restricted shell environment and privileged UNIX commands cannot be assigned to a role simultaneously. Assigning a new restricted shell environment to a role removes all of the previously defined privileged UNIX commands from the restricted shell. Assigning new privileged commands to a role that previously had a restricted shell environment removes the restricted shell environment and any restricted shell commands defined for the restricted shell environment.

Setting up the restricted shell environment

The following ADEdit commands are used to set up and manage the restricted shell environment prior to working with any restricted shell commands.

Command What it does
clear_rs_env_from_role Removes the restricted shell environment from the currently selected role that is stored in memory.
delete_rs_env Deletes the currently selected restricted environment from Active Directory and also from memory.
get_role_rs_env Gets the restricted shell environment from the currently selected role that is stored in memory.
get_rs_envs Gets the list of restricted environments that are defined within the currently selected zone.
get_rse_cmds Gets a Tcl list of restricted shell commands associated with the currently selected restricted shell environment.
get_rse_field Gets the value for a specified field from the restricted shell environment stored that is stored in memory.
list_rs_envs Prints a list of restricted shell environments defined for the currently selected zone to stdout.
new_rs_env Creates a new restricted shell environment for the current zone, stores it in memory, and sets it to be the currently selected restricted shell environment.
save_rs_env Saves the currently selected restricted environment that is stored in memory to Active Directory.
select_rs_env Retrieves a restricted shell environment for the currently selected zone from Active Directory, stores it in memory, and sets it to be the currently selected restricted shell environment for other ADEdit commands.
set_rs_env_for_role Assigns a restricted shell environment to the currently selected role that is stored in memory.
set_rse_field Sets the value for a specified field in the currently selected restricted shell environment stored in memory.

Using restricted commands

The following ADEdit commands are used to set up and manage the restricted shell restricted shell commands.

Command What it does
delete_rs_command Deletes the currently selected restricted shell command from Active Directory and from memory.
get_role_rs_commands Returns a Tcl list of restricted shell commands associated with the currently selected role.
get_rs_commands Checks Active Directory and returns a Tcl list of restricted shell commands defined for the currently selected zone.
get_rsc_field Gets the value for a specified field from the currently selected restricted shell command that is stored in memory.
list_rs_commands Prints a list of restricted shell commands defined for the currently selected zone to stdout.
new_rs_command Creates a new restricted shell command under the currently selected restricted shell environment, stores it in memory, and sets it to be the currently selected restricted shell command.
save_rs_command Saves the currently selected restricted shell command that is stored in memory to Active Directory.
select_rs_command Retrieves a restricted shell command in the currently selected zone from Active Directory, stores it in memory, and sets it to be the currently selected restricted shell command for other ADEdit commands.
set_rsc_field Sets the value for a specified field for the currently selected restricted shell command that is stored in memory.

Creating computer-level role assignments in classic zones

Classic zones support computer-level role assignments. If you want to configure computerlevel role assignments, keep the following in mind:

  • The classic zone that the computer is a member of must have authorization enabled before you can create role definitions and role assignments.
  • The role assignment is only valid on the computer where you have made the assignment.
  • The role definition you use must be defined in the classic zone that the computer is a member of.

A computer-level role assignment in a classic zone is similar to computer-level overrides in hierarchical zones, except that you cannot save user or group profile information for individual computers. User and group information is stored in the classic zone. To enable computer-specific role assignments in classic zones, you must use a specialized zone type, the classic-computer zone type.

To create a computer-level role assignment in a classic zone:

  1. Precreate the computer in a classic4 zone, if it doesn’t already exist.
  2. Create a zone that uses the specialized zone type of classic-computer.
  3. Select the classic-computer zone within the classic zone.
  4. Create the role assignment.

The following code snippet illustrates the commands to execute in ADEdit to make computer-specific role assignments in classic zones:

bind ajuba.net  
package require ade_lib  
    1.0  
select_zone cn=cls,cn=zones,dc=ajuba,dc=net  
get_zone_field type  
    classic4  
precreate_computer rhelqa$@ajuba.net  
get_zone_computers  
    {comp5$@ajuba.net} {rhelqa$@ajuba.net}  
create_zone classic-computer rhelqa.ajuba.net@cn=cls,cn=zones,dc=ajuba,dc=net  
select_zone rhelqa.ajuba.net@cn=cls,cn=zones,dc=ajuba,dc=net  
new_role_assignment user5@ajuba.net  
set_role_assignment_field role role1/cls  
save_role_assignment

You can then get the classic-computer zones by running the get_child_zones command when the classic zone is selected. For example:

select_zone cn=cls,cn=zones,dc=ajuba,dc=net  
get_child_zones  
helqa.ajuba.net@CN=c122,CN=Zones,DC=ajuba,DC=net
comp5.ajuba.net@CN=c122,CN=Zones,DC=ajuba,DC=net