Preventing Disabled Users from Executing "usrun" Command



The main objective of this article is to give a step by step procedure for customers to help them to configure the policies for disabled LDAP user to execute usrun command using NPUM.

Table of Contents

  1. Introduction

1. Introduction

Net IQ Privileged User Management (PUM) helps IT administrators manage the identity and access for superuser, root accounts, and application users by providing controlled superuser/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms.

SSH relay is a new feature added to PUM that enables delegation of privileged credentials to those hosts where PUM agents are not installed. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with LDAP domain.

This article talks about the various configuration that needs to be performed by a customer to enable user status.

2. Integrating PUM Manager with LDAP Domain

To integrate the PUM manager with LDAP, the following steps need to be performed:

Before we can integrate the PUM to use LDAP as authentication domain, the account domain details to authenticate with should be added to PUM manager. PUM manager supports creation of the account domain under the command control console installed as part of default manager installation. The various steps to be followed to add authentication account domain to PUM are as follows:

2.1 Goto Home/Command Control console -> Privileged Accounts.
2.2 Now choose the option Add Account Domain to add a new account domain to PUM manager framework.
2.3 Provide all the details as shown in the picture below. Make sure to replace with the IP address of the LDAP server

Figure 1: Adding LDAP account domain details.


After the successful association, PUM deployment is now is ready to make use of the LDAP as the default authentication domain. From this point onwards all users will be managed in the LDAP and those users, groups can be directly made use of for all PUM administration.

3. Adding more credentials to the LDAP account domain

To add multiple credentials to the existing account domain do the following.

3.1 Click Command Control on the home page of the console.

3.2 In the navigation pane, select Privileged Accounts.

3.3 Select an Account Domain.

3.4 In the task pane, click Add Credential.

3.5 Specify the following details:

     Account: Specify the account name of the domain user. For example: disuser.

     User DN: Specify the complete name for the domain user. For example: CN=disuser,CN=Users,DC=ashish,DC=com

     Password: Specify the password for the domain user account.

3.6 Click Finish to save the account domain and credential details.

Figure 2: Adding credentials


4. Creating the User group

4.1 Goto Home/Command Control/Account groups/User group---> Add user group ( ex-LDAP Group).
4.2 Modify the "LDAP group"--> select External group.
4.3 Choose the LDAP domain from the drop down
4.4 Under users give regular expression %:=~/^[Cc][Nn]=d*/, this expression matches all external groups starting with Cn=d and followed by anything where user is part of the group. This regular expression is used to check whether a particular user is part of the group. )

Figure 3: Adding Users group filter in User groups


5. Adding a script to the Command Control

5.1 Goto Home/Command Control/Scripts/---> Add script ( name ex-Check AD User).
5.2 Copy the content of the attached script to newly added script.
5.3 Modify the script for below:

     5.3.1 Change my $ADUser='DOMAIN\Administrator'; to my $ADUser='ashish\Administrator';
     5.3.2 Change my $ADPwd='password'; to my $ADPwd='novell123';
     5.3.3 Change my $ADHost=""; to my $ADHost="";

5.4 Click Finish

Figure 4: Modifying script


6. Creation of Command Control Rule

After adding the Privileged account details and User group, the next step is to create rules in Command Control so that authorization to access the SSH relay host is given based on the rule. This can be achieved by following the steps below:

6.1 Goto Home/Command Control -> Rules.
6.2 Choose Add rule option from the left panel and add a rule "Match AD Credential".
6.3 Choose Add rule option from the left panel and add a rule "Set AD Credential" under Match AD Credential rule.
6.4 Choose Add rule option from the left panel and add a rule "Authorize AD User" under Match AD Credential rule.
6.5 Modify Set AD Credential Rule. Set Authorize to Yes, Select credential as ashish/disuser and run user as ashish/disuser.
6.6 Drag and drop the script "Check AD User" to rule Authorize AD User.
6.7 Drag and drop the LDAP User group to rule "Match AD Credential".

Use Case pre-requisite: user account name is same in LDAP and on Linux, user account is disable in LDAP.
Use Case: When "disuser" whose account is disable under the group "disable_group" in LDAP, tries to login to machine, user will be able to do so but when he is trying to use the LDAP credential to execute the usrun with any command "usrun ls", user will not be able to do so as users account is disabled under the LDAP domain.

7. Glossary of Terms

  • PUM - Privileged User Manager

  • LDAP - Lightweight Directory Access Protocol

  • SSH - Secure Shell


How To-Best Practice
Comment List
Related Discussions