Cybersecurity
DevOps Cloud
IT Operations Cloud
Author: Girish Mutt
Abstract:
The main objective of this article is to give a step by step procedure for customers to help them integrate the SSH relay feature of PUM with Novell eDirectory as the authentication domain. The normal approach will be to use existing PUM framework users to enable the SSH Relay feature. This approach will help customer directly integrate their existing Novell eDirectory environment with the PUM framework thereby allowing usage of single source for all corporate users. In addition to this PUM makes use of the LDAP groups to enable access to SSH relay hosts which allow PUM to make use of corporate directory specific access controls with PUM deployments.
Table of Contents
Introduction
NetIQ Privileged User Management (PUM) helps IT administrators manage the identity and access for superuser, root accounts, and application users by providing controlled superuser/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms.
SSH relay is a new feature added to PUM that enables delegation of privileged credentials to those hosts where PUM agents are not installed. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with corporate Novell eDirectory as authentication domain. It helps to overcome the issue of managing users differently for PUM deployment and existing corporate eDirectory deployment.
This article talks about the various configuration that needs to be performed by a customer to enable SSH relay feature integrated with corporate Novell eDirectory deployment.
Integrating PUM Manager with Novell eDirectory Authentication Domain
To integrate the PUM manager with Novell eDirectory, the following steps need to be performed:
2.1 Create Privileged Account Domain for Novell eDirectory
2.2 Integrate the PUM manager to use Novell eDirectory as authentication domain
2.1 Create Privileged Account Domain for Novell eDirectory
Before we can integrate the PUM to use Novell eDirectory as authentication domain, the account domain details to authenticate with should be added to PUM manager. PUM manager supports creation of the account domain under the command control console installed as part of default manager installation. The various steps to be followed to add authentication account domain to PUM are as follows:
2.2 Integrate the PUM manager to use Novell eDirectory as authentication domain
After the addition of the Privileged Account Domain details under privileged accounts of PUM manager, the next step is to add the association between the PUM user framework to directly make use of user accounts in the newly added authentication domain. The following steps should be followed to create that association:
After the successful association, PUM deployment is now is ready to make use of the corporate Novell eDirectory as the default authentication domain. From this point onwards all users will be managed in the corporate Novell eDirectory and those users, groups can be directly made use of for all PUM administration.
SSH Relay Feature enabling with PUM Manager
To enable the SSH relay feature to a particular host or to a group of hosts, SSH credentials of the privileged users need to be added to Privileged Account under Command Control. The following steps should be followed to create privileged accounts:
After adding the Privileged account details for SSH relay, the next step is to create rules in Command Control so that authorization to access the SSH relay host is given based on the rule. This can be achieved by following the steps below:
Figure 4: Modifying rule to authorize and associate SSH credential for SSH relay host.
SSH command, which will be part of the Home/Command Control/Commands needs to be added to the rule. This can be easily achieved by dragging and dropping the SSH Session command under commands on to Rule R1 as shown below.
Command Control Rule for LDAP Group Matching
After the integration of the PUM manager to use Novell eDirectory, the next step will be to enable the LDAP group look up under rule matching which will make use of LDAP groups in eDirectory to decide on access permission for SSH sessions. This can be achieved by creating an Account Group which will be used to match for the LDAP group in Novell eDirectory. The account group can be created by following the steps below:
When the same is attached to the rule access to Privileged SSH sessions will be granted based on the fact that whether a user is part of the group or not. Thus LDAP group matching is used to grant access to SSH relay sessions.
Once the User group is modified to match an external LDAP group, it will be added to rule R1 by dragging and dropping on top of the rule R1. Now this rule is able to grant access to SSH relay sessions based on the fact that whether a user is part of the external group or not. Hence PUM makes use of LDAP group look up feature to confirm membership of particular user in Novell eDirectory and then grant access to SSH relay sessions.
Using SSH Relay feature with Novell eDirectory as authentication domain
After the successful completion of all the steps mentioned above, the deployed configuration can now be tried.
Use Case: Rule R1 basically tries to check that the user used as part of SSH relay is in deed part of LDAP group G1. If the user is part of the LDAP group in Novell eDirectory which is the authentication domain, then a list of allowed SSH Relay sessions will be displayed to user and user will be given access to SSH session as elevated root user.
The various steps to be followed to gain access to Privileged SSH Relay sessions are:
user311@pum-sles11x64:/root> ssh -t -p2222 user311@164.99.184.14
Here we are trying to gain access to SSH relay session based on user311 being part of the external LDAP group G1 in Novell eDirectory.
user311@XXX.XX.XX.XX's password:
1) R1 - root@local
Enter option (1-1): 1
Password:
Last login: Wed Aug 17 16:08:25 2011 from pum-slesx1164.labs.blr.novell.com
pum-sles11x64:~ # id
uid=0(root) gid=0(root) groups=0(root),104(sfcb)
Glossary of Terms