IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  cn=SecurityGroup,secAuthority=default

    Posted Tue September 25, 2018 12:23 PM

    Hi

     

    This is not a typical question that we worry too much in our day to day ISAM work life .... but TODAY I did notice this for the first time.

     

    Why in the base group container "cn=SecurityGroup,secAuthority=default" is there the directory suffix listed as a member "secAuthority=Default" ? What does it do for ISAM, just decorative feature ?

     

    I know I should probably treat this as ISAM "internal" (and I have no plan on making change directly to this internal ISAM group) but I feel there is room for me to ramp up my skill here in that area.

     

    dn: cn=SecurityGroup,secAuthority=default

    objectclass: groupOfNames

    objectclass: top

    cn: SecurityGroup

    member: secAuthority=Default

    member: cn=SecurityMaster,secAuthority=default

    member: cn=ivmgrd/master,cn=SecurityDaemons,secAuthority=Default

    description: DO NOT MODIFY: Access Manager identity

     

    Some investiguation/observation:

     

    I found this definition: https://ldapwiki.com/wiki/GroupOfNames. Does it mean that "secAuthority=Default" is made a member there just to prevent the groupOfNames object at creation time (original ISAM installation and registry initialization) to be empty ? I created a copy (cn=SecurityGroupTest,secAuthority=default), tried to remove all members and yes, it does not allow you (Object Class Violation). So it would appear then that "secAuthority=Default" is made a member of the group just to prevent object class violation during initialisation.

     

    In conclusion:

     

    Does the LDAP suffix entry influences/impacts from thereon any group resolution in any way useful for ISAM ? ( I repeat, I do not intent to remove/modify it ).

     

    (-;

     

    Thanks

     

    Sylvain Gilbert

     



  • 2.  RE: cn=SecurityGroup,secAuthority=default

    Posted Wed September 26, 2018 04:00 AM
    Sylvain,

    You are exactly right: the secAuthority=Default DN is added to the member attribute of ALL groups created by Access Manager in order to meet the schema requirement that the groupOfNames objectclass always have a member attribute defined.

    If you look at other products that work with groupOfNames objectclass you will find that they do similar things (cn=dummy or similar).

    The reason that secAuthority=Default was chosen as the default group member is that this object is (almost always) defined in an Access Manger system so therefore cannot be created as a user and therefore cannot be misused to get access to groups.

    I'm 99% sure this group member has no functional use (other than described).

    If you really wanted to you COULD manually remove the secAuthority=Default DN from member attribute once a real user has been added - but then you'd find that you wouldn't be able to remove the last member from the group later on.  Best to leave it there.

    It was a good question.  I hope this confirms things for you :)

    Cheers... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message