Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour

[hyc@symas.com]

kean.johnston@gmail.com wrote:
> Full_Name: Kean Johnston
> Version: HEAD
> OS: Linux (CentOS 5.3)
> URL: ftp://ftp.openldap.org/incoming/kean-johnston-100321.patch
> Submission from: (NULL) (196.210.34.161)
>
>
> The nssov manual page states that some of it's options "duplicates the original
> pam_ldap authorization behavior". However, they don't quite. pam_ldap has the
> ability for you to use "wildcards" in a user's host: attribute. I say
> "wildcards" in quotes because the pam_ldap implementation does not actually use
> regex matching, but rather check for two special strings, "*" and "!".
>
> The ability to use actual wildcards, especially ones you can negate, on a per
> user basis is extremely useful to an administrator of large networks. For
> example you may want all developers to have access to the machines in
> developers.mydomain.com but you want to disallow access to some of those
> machines to contractors or interns.
>
> This patch allows such behaviour, so it serves the dual purpose of actually
> implementing existing pam_ldap behaviour in case people already depend on that,
> as well as extends it to be a more generally usable feature by using actual
> regular expressions. The code is simple, and the man page change describes it
> well enough. Please consider adding this code to nssov. Thank you.
>
Authorization is the job of the ACL engine. Putting ad-hoc rules into user 
entries is, in a word, stupid. It's also unscaleable and will become an 
administration nightmare.

The user host attribute functionality is deprecated. I have no desire to make 
it even vaguely appear to be useful.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/