Specifying surrogates for mapped users (UNIX, Linux)

Specify operating system (OS) user names, user IDs, group names, and group IDs in the allowed.surrogates file to control which OS users and groups can act as surrogates for mapped users.

Procedure

  1. Create a file named allowed.surrogates in the /etc/onedb directory.
    The allowed.surrogates file must be owned by root instead of onedb. The file must not have execute permissions and only the file owner can have write permission.
  2. In the allowed.surrogates file, enter the OS user names, user IDs, OS group names, group IDs, ranges of user IDs, and ranges of group IDs that you want to allow as surrogates.
    1. Enter comma-separated OS user names, user IDs, and ranges of user IDs after entering the user: label.
      users:user1,user2,105,104,300,400..500
    2. Enter comma-separated OS group names, group IDs, and ranges of group IDs after entering the group: label.
      groups:ifx_dbsa,group1,group2,root,1,10..20

    The group and user labels are case-insensitive, and can be pluralized. Entries are separated by commas. Ranges of user IDs and group IDs are inclusive, with the upper and lower ranges separated by two periods. You must specify both an upper and lower limit for ranges. Comment lines begin with # and are ignored. Blank lines are also ignored.

    If the allowed.surrogates file is formatted incorrectly, then user mapping is disabled and an error is logged in the online log file. If a user name or group name cannot be identified, the name is logged in the online log file and otherwise ignored, and the cache is cleared.

Example

The following example of an allowed.surrogates file entry specifies user user1, user 40, users 45-50, and group 10 as acceptable surrogates.

#Surrogate IDs
USERS:user1,40,45..50
GROUP:10