Specify operating system (OS) user names, user IDs, group
names, and group IDs in the allowed.surrogates file
to control which OS users and groups can act as surrogates for mapped
users.
Procedure
-
Create a file named allowed.surrogates in the
/etc/onedb directory.
The allowed.surrogates file must be owned by root instead of
onedb. The file must not have execute permissions and only the file owner can have
write permission.
- In the allowed.surrogates file, enter
the OS user names, user IDs, OS group names, group IDs, ranges of
user IDs, and ranges of group IDs that you want to allow as surrogates.
- Enter comma-separated OS user names, user IDs, and ranges
of user IDs after entering the
user:
label.
users:user1,user2,105,104,300,400..500
- Enter comma-separated OS group names, group IDs, and
ranges of group IDs after entering the
group:
label.
groups:ifx_dbsa,group1,group2,root,1,10..20
The group and user labels are case-insensitive, and can be
pluralized. Entries are separated by commas. Ranges of user IDs and
group IDs are inclusive, with the upper and lower ranges separated
by two periods. You must specify both an upper and lower limit for
ranges. Comment lines begin with #
and are ignored.
Blank lines are also ignored.
If the allowed.surrogates file
is formatted incorrectly, then user mapping is disabled and an error
is logged in the online log file. If a user name or group name cannot
be identified, the name is logged in the online log file and otherwise
ignored, and the cache is cleared.
Example
The following example of an allowed.surrogates file
entry specifies user user1, user 40, users 45-50,
and group 10 as acceptable surrogates.
#Surrogate IDs
USERS:user1,40,45..50
GROUP:10