Selang 'auth' rules are not working for AD users

Document ID : KB000031337
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

The client was writing selang rules in order to allow the use of SESU to certain AD users. Once the rules were written and the user was authorized to utilize the surrogate rule they still could not run sesu. The commands being used were as follows:

AC> exg XGROUP_NAME
(localhost)
Successfully updated XGROUP XGROUP_NAME

AC> er surrogate USER.SHORT_NAME defacc(n) owner(nobody)
(localhost)
Successfully created SURROGATE USER.SHORT_NAME

AC> auth surrogateUSER.SHORT_NAME via(pgm(/opt/CA/AccessControl/bin/sesu)) xgid(XGROUP_NAME) acc(r)
(localhost)
Successfully added XGROUP_NAME via PROGRAM /opt/CA/AccessControl/bin/sesu to USER.SHORT_NAME's PACL

With the execution of the sesu command it would result in "You are not allowed to su to User_name". This results because the username authorized and created with the surrogate rule is incorrect. The Active Directory is using full usernames for their AD and a short name as well for running commands and such. The issue is that the short name couldn't be distinguished as the full name. This being said the full name was required to be used for the creation of the rule and then the short name could be used to sesu to.

 

Environment:

PIM 12.8

RHEL 5.8

 

Resolution:

The 'auth' of the surrogate class (in this case) required the full AD account name be used for the rule although the short name is used for the running of the command.

AC> er surrogate USER.FULL_AD_NAME defacc(n) owner(nobody)
(localhost)
Successfully created SURROGATE USER.FULL_AD_NAME 

AC> auth surrogate USER.FULL_AD_NAME via(pgm(/opt/CA/AccessControl/bin/sesu)) xgid(XGROUP_NAME) acc(r)
(localhost)
Successfully added XGROUP_NAME via PROGRAM /opt/CA/AccessControl/bin/sesu to USER.FULL_AD_NAME's PACL