Looking for a function of AIX in RHEL - user limits and ldap
Bear with me. I'm a Red Hat Engineer, not an AIX person. My current environment is a mix of AIX and RHEL (about 500 AIX and 200 RHEL). I'm in the process of integrating our RHEL environment into our AD for authentication and authorization. I've got most everything figured out. Except for this.
Through some form of wizardry the AIX environment reads LDAP attributes for nofile, nproc and other ulimit settings and sets them for the user. (Documented here http://www.ibm.com/developerworks/aix/library/au-aixldap/
As far as I've ever seen, Linux users' limits are set via the /etc/security/limits.conf or /etc/security/limits.d/*.conf files. I have never seen another way (short of setting it manually via profiles)
Anyone else ever seen this implemented before? Is there a linux version of what the AIX environment does here?
Thanks in advance... long-time user, first time poster...
Will
Responses
Does Active Directory have the schema to hold any ulimit directives at all? If not, you will need to modify to schema to actually contain these values. The issue of Linux picking them up could be solved with some scripting, or ideally with a configuration management tool.
...or query once and have limits.d/ synced. Tools like Satellite and Puppet can maintain files across machines for you.
Probably a couple options:
- You could see if anyone's published extensions to the pam_limits module - given IBM's involvement in Linux (and that they probably used a marginally-similar method for their AIX implementation), you might check with your IBM reps for pointers
- You could write a "scraper" to pull the requisite data from your directory service and periodically dump it to local files (I had to do this to get AD-integrated NBAC working on RedHat due to some serious brain-damage in the way Symantec wrote the NBAC subsystem).
The first would be the "best" approach. The latter is very hacktish and creates a NIS-like configuration-management scenario (only plus side being that your LDAP connections are enrypted and, conceivably, so could any necessary cached-copies of the data).
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
