[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour
- From: hyc@symas.com
- Date: Mon, 22 Mar 2010 06:29:09 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
kean.johnston@gmail.com wrote:
> Full_Name: Kean Johnston
> Version: HEAD
> OS: Linux (CentOS 5.3)
> URL: ftp://ftp.openldap.org/incoming/kean-johnston-100321.patch
> Submission from: (NULL) (196.210.34.161)
>
>
> The nssov manual page states that some of it's options "duplicates the original
> pam_ldap authorization behavior". However, they don't quite. pam_ldap has the
> ability for you to use "wildcards" in a user's host: attribute. I say
> "wildcards" in quotes because the pam_ldap implementation does not actually use
> regex matching, but rather check for two special strings, "*" and "!".
>
> The ability to use actual wildcards, especially ones you can negate, on a per
> user basis is extremely useful to an administrator of large networks. For
> example you may want all developers to have access to the machines in
> developers.mydomain.com but you want to disallow access to some of those
> machines to contractors or interns.
>
> This patch allows such behaviour, so it serves the dual purpose of actually
> implementing existing pam_ldap behaviour in case people already depend on that,
> as well as extends it to be a more generally usable feature by using actual
> regular expressions. The code is simple, and the man page change describes it
> well enough. Please consider adding this code to nssov. Thank you.
>
Authorization is the job of the ACL engine. Putting ad-hoc rules into user
entries is, in a word, stupid. It's also unscaleable and will become an
administration nightmare.
The user host attribute functionality is deprecated. I have no desire to make
it even vaguely appear to be useful.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/