[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: managing workstation access.

To: "'Jason C. Leach'" <jleach@ocis.net>, openldap-software@OpenLDAP.org
Subject: RE: managing workstation access.
From: Rob De Langhe <rob.delanghe@telindus.be>
Date: Wed, 25 Jun 2003 08:26:16 +0200

Jason,

I have successfully implemented the following setup already in a few
companies:

1) either with LDAP or with NIS (so generally: a global nameservice):
maintain groups of users that define more or less their 'role' (like
'sysadmins' containing 'usera', 'userb', ...)
In LDAP terms, this is "cn=sysadmins,ou=groups,dc=your,dc=domain,dc=com"
with "memberUid=usera" and so on.

2) besides, maintain "netgroups" in your global nameservice, to list the
'groups' that have access for each particular machine. I named these
netgroups
cn=hosta-access,ou=netgroup,dc=your,dc=domain,dc=com
With members the groups that can login into this host
   memberNisNetgroup: sysadmins
   ...

3) then I installed on each machine the same /etc/profile script, doing the
following:
- if user is locally defined (in /etc/passwd) allow straight login.
Otherwise:
- collect the list of groups of which the login user is member, using
   ldapsearch -h ldapserver -L -b "ou=groups,dc=your,dc=domain,dc=com"
"memberUid=$LOGNAME" cn
- collect the member-groups of netgroup "`uname -n`-access"
   ldapsearch -h ldapserver -L -b "ou=netgroup,dc=your,dc=domain,dc=com"
"cn=`uname -n`-access" memberNisNetgroup
- loop over both lists to check if the user is in group that is member of
the netgroup "`uname -n`-access"

Advantages: nothing specific to maintain on each individual host, all is
centrally managed
Users cannot break out of login check, /etc/profile is very first one to be
executed even during "su - usera -c command" 

Good luck

Rob


-----Original Message-----
From: Jason C. Leach [mailto:jleach@ocis.net] 
Sent: Tuesday, June 24, 2003 10:04 PM
To: openldap-software@OpenLDAP.org
Subject: managing workstation access.


hi,

Does anyone have some good ideas on how to manage workstation access with
LDAP.  For example, if I add a user to the LDAP DB they get access (an
account) on all workstations A, B and C. But suppose I dont' want them to
have access to workstation C? Can I limit that some how?

Thanks,
j.

-- 
......................
..... Jason C. Leach
.. 

Current PGP/GPG Key ID: 43AD2024

Prev by Date: Re: Passwords in OpenLDAP - another question
Next by Date: RE: managing workstation access.
Index(es):
- Chronological
- Thread