Looking for a function of AIX in RHEL - user limits and ldap

Latest response

Bear with me.  I'm a Red Hat Engineer, not an AIX person.  My current environment is a mix of AIX and RHEL (about 500 AIX and 200 RHEL).  I'm in the process of integrating our RHEL environment into our AD for authentication and authorization.  I've got most everything figured out.  Except for this.

Through some form of wizardry the AIX environment reads LDAP attributes for nofile, nproc and other ulimit settings and sets them for the user.  (Documented here http://www.ibm.com/developerworks/aix/library/au-aixldap/

As far as I've ever seen, Linux users' limits are set via the /etc/security/limits.conf or /etc/security/limits.d/*.conf files.   I have never seen another way (short of setting it manually via profiles)

Anyone else ever seen this implemented before?  Is there a linux version of what the AIX environment does here?

Thanks in advance... long-time user, first time poster...

Will

Responses

Does Active Directory have the schema to hold any ulimit directives at all? If not, you will need to modify to schema to actually contain these values. The issue of Linux picking them up could be solved with some scripting, or ideally with a configuration management tool.

Well in this case, yes.. the attributes are storied in the DN for the user(s).  So the data is there. I'm just not sure how to make the OS respect it.

short of writing code to query the LDAP infrastructure at login and set it.

...or query once and have limits.d/ synced. Tools like Satellite and Puppet can maintain files across machines for you.

I already use Satellite extensively for configuration management and it's easy enough for me to manage limits.conf (or limits.d/*.conf)  with Satellite..  The issue here is the AIX mentality of managing things the IBM way vs the RHEL way.

Just making sure that  I'm not overlooking anything. 

I suppose equivalence would be writing a PAM Module.

Probably a couple options:

  • You could see if anyone's published extensions to the pam_limits module - given IBM's involvement in Linux (and that they probably used a marginally-similar method for their AIX implementation), you might check with your IBM reps for pointers
  • You could write a "scraper" to pull the requisite data from your directory service and periodically dump it to local files (I had to do this to get AD-integrated NBAC working on RedHat due to some serious brain-damage in the way Symantec wrote the NBAC subsystem).

The first would be the "best" approach. The latter is very hacktish and creates a NIS-like configuration-management scenario (only plus side being that your LDAP connections are enrypted and, conceivably, so could any necessary cached-copies of the data).

 

I've been lucky so far to be able to create a "pure" Red Hat environment thus far. So I'm a bit hesitant to go with something that isn't supported by Red Hat. I'm fine with managing it via Satellite, but I just wanted to make sure there wasn't some mystical Linux way I hadn't seen yet.

Thanks for the advice. If I get in a pinch maybe a custom Pam module will be the way to go.