[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "Restrict user access to certain hosts"

To: Roman Lazarenko <lazarenk@pirmabanka.lv>
Subject: Re: "Restrict user access to certain hosts"
From: Turbo Fredriksson <turbo@bayour.com>
Date: 18 Apr 2001 16:14:49 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: Roman Lazarenko's message of "Wed, 18 Apr 2001 17:00:43 +0300"
Organization: LDAP/Kerberos expert wannabe
References: <3ADD9E0B.55434A44@pirmabanka.lv>
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

>>>>> "Roman" == Roman Lazarenko <lazarenk@pirmabanka.lv> writes:

    Roman> How can I restrict user access to database servers,in
    Roman> another words, how can I point on LDAPserver, that, for
    Roman> example user with dn : "uid=test,ou=..,o=..,c=.." can login
    Roman> on server one.example.lv, but can't login on
    Roman> two.example.lv. Which ldap attributes i must turn on ?

I'm using the trustAccount objectclass, with the propper 'pam_filter'
entry in my /etc/pam_ldap.conf file...

----- s n i p -----
# this file goes into /etc/openldap/schema or into your schema directory for your LDAP v3 server
# make sure you have it, otherwise, Directory administrator will complain when changing user accounts
# unless you don't do schema checking

attributetype ( 5.3.6.1.1.1.1.0 NAME 'trustModel'
	DESC 'Access scheme'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 5.3.6.1.1.1.1.1 NAME 'accessTo'
	DESC 'Access to which servers user is allowed'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 5.3.6.1.1.1.2.0 NAME 'trustAccount' SUP top AUXILIARY
	DESC 'Sets trust accounts information'
	MUST ( trustModel )
	MAY ( accessTo ) )
----- s n i p -----

----- s n i p -----
[papadoc.pts/6]$ grep ^pam_filter /etc/pam_ldap.conf
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=papadoc.bayour.com)
----- s n i p -----

----- s n i p -----
[papadoc.pts/6]$ ldapsearch uid=turbo trustmodel accessto -LLL
dn: uid=turbo,ou=People,dc=papadoc,dc=bayour,dc=com
trustModel: byserver
accessTo: papadoc.bayour.com
----- s n i p -----

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

References:
- "Restrict user access to certain hosts"
  - From: Roman Lazarenko <lazarenk@pirmabanka.lv>

Prev by Date: "Restrict user access to certain hosts"
Next by Date: userSMIMECertificate in inetOrgPerson
Index(es):
- Chronological
- Thread