Creating Child Zones and a Service Administrator Role

In many cases, you don’t want a service administrator to have root privileges. For example, there’s no reason to give database or web service administrators root-level privileges if their role only requires limited access to a few privileged operations.

To illustrate how to grant more limited privileges to an administrator, you will now create a role that gives an Apache server administrator permission a few specific tasks, such as edit the Apache configuration file and start and stop the Apache service. In this scenario, you will also create child zones to further limit the Apache administrator’s authority to just the computers in the child zones.

To create child zones

  1. Open Access Manager.

  2. Expand Zones, right-click your parent zone name, then select Create Child Zone.

  3. Type a Zone name (Nevada) and a brief description (Western field office), then click Next.

  4. Click Finish.

  5. Repeat Step 1 through Step 4 giving the second child zone a different name (Delaware) and description (Eastern web farm office).

  6. Expand Child Zones and each new zone you created to view the nodes of the child zones.

To create a new Active Directory user and group for Apache administrators

  1. Open Active Directory Users and Computers and create a new User object.

    1. Fill in the First, Last, and the User logon name fields.

    2. Type and confirm a password and select the Password never expires option.

    3. Acknowledge the warning, click Next, then click Finish.

  2. Open Active Directory Users and Computers and create a new Group object in the UNIX Groups organizational unit.

    1. For the Group name, enter ApacheAdmins.

    2. Select Global as the scope for the group and Security for the type of group, then click OK.

  3. Add the web administrator to the ApacheAdmins group.

    1. Select the user you created in Step 1, right-click and select Add to a group.

    2. Select the ApacheAdmins group, then click OK.

  4. Provision a UNIX profile for the new user using Access Manager.

    1. Expand the Zones node and select the Headquarters, right-click, then select Add User.

    2. Select the user you created for web administration.

    3. Select Define user UNIX profile only and deselect Assign roles.

    4. Accept the default values for all profile properties.

    5. Review your selections, click Next, then click Finish.

Defining Command Rights and a New Role for Apache Administrators

You are now ready to create the privileged commands and role definition for the Apache administrators much as you did for the UNIX administrators. However, in this scenario, you will add the following new commands:

Command name Command Purpose
web_edit_http_config vi /etc/httpd/conf Edit the httpd daemon configuration file
web_apachectl apachectl *: Front end command for managing the httpd daemon
web_httpasswd htpasswd * Create and update HTTP server user name and password file

These commands will be added to a new role definition, ApacheAdminRights. As an alternative to creating the commands and role manually using Access Manager, as you did in the previous section, the following steps illustrate how you can use an ADEdit script.

ADEdit is a command-line scripting environment included with the IBM Security Agent for *NIX. You can use ADEdit commands and scripts to modify Active Directory objects interactively directly from a UNIX or Linux computer terminal. The sample script ApacheAdminRole illustrates how you can use an ADEdit script to create UNIX rights and an Apache administrator role. This sample script is located in the /usr/share/centrifydc/samples/adedit directory on the UNIX or Linux computer where you have installed the IBM Security Agent.

To create the ApacheAdmin commands and the ApacheAdminRights role

  1. Log on to the Linux or UNIX computer using the Active Directory logon name and password you created for the UNIX administrator.

  2. Open a terminal on the Linux or UNIX computer.

  3. Change the directory to /usr/share/centrifydc/samples/adedit.

  4. Run the ApacheAdminRole script.

    ./ApacheAdminRole

    If you see the error /bin/env: bad interpreter: No such file or directory, try changing the first line in the script to #!/usr/bin/env adedit.

  5. Follow the prompts displayed to provide the following information for connecting to Active Directory:

    • Domain name.

    • The Active Directory account name that has administrator privileges in the organizational unit you’re using for the IBM Security zones.

    • The password for the Active Directory account.

  6. Select the zone from the list of zones in your domain.

    For example, enter 2 to create the commands and role in the Nevada child zone or 3 to create the commands and role in the Delaware zone. The script then creates the commands and the role in the selected zone.

Verifying the Success of the Script

You can verify the new command rights and role in Access Manager.

To verify the script created command rights new role

  1. Open Access Manager.

  2. Expand the Nevada or Delaware child zone, then expand Role Definitions.

  3. Select the ApacheAdminRights role to view the new command rights in the right pane.

    The new rights are also listed in the under the child zone UNIX Right Definitions > Commands node. If the new role is not listed, right-click, then select Refresh.

Adding Rights to the New Role Definition

The ApacheAdminRole script created the new UNIX command rights for Apache-related tasks. However, the Apache administrators require a few more rights to do their job. For example, the ApacheAdminRights role created using the sample script does not include the UNIX Login right for any computers.

To add more rights to the ApacheAdminRights role

  1. Open Access Manager.

  2. Expand the Nevada or Delaware child zone, then expand Role Definitions.

  3. Select the ApacheAdminRights role, right-click, then select Add Right.

  4. Select the Nevada or Delaware child zone from the list of zone to restrict the list of rights to the rights available in the child zone.

  5. Select the following default rights:

    • login-all to allow Apache administrators to log on.

    • ssh to allow Apache administrators to use the PAM secure shell client application.

    • sshd to allow Apache administrators to use the secure shell server application.

    • dzssh-scp to allow Apache administrators to use the secure copy application.

    • dzssh-sftp to allow Apache administrators to use the secure file transfer application.

  6. Click OK.

Assigning the Apache Administrator Role to a Group

You can now assign the ApacheAdminRights role to the Active Directory ApacheAdmins group. The members of this group will only have the Apache access rights on the computers in the Nevada or Delaware child zone you selected. Outside of the selected zone, members will have no access rights on any UNIX computers.

To assign the ApacheAdminRights role to the Apache administrators

  1. Open Access Manager.

  2. Expand the Nevada or Delaware child zone and its Authorization node.

  3. Select Role Assignments, right-click, then select Assign Role.

  4. Select the ApacheAdminRights role, then click OK.

  5. Click Add AD Account.

    1. Change the object to Find from User to Group, then search for and select the ApacheAdmins group, then click OK.

    2. Click OK to complete the role assignment.