[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: managing workstation access.

To: "'Rob De Langhe'" <rob.delanghe@telindus.be>, "'Jason C. Leach'" <jleach@ocis.net>, openldap-software@OpenLDAP.org
Subject: RE: managing workstation access.
From: "Smith, Steve" <Steve.Smith@CommerzbankIB.com>
Date: Wed, 25 Jun 2003 08:35:49 +0100

Or one could go the whole way and implement the user
groupings [at (1) below] as netgroups, enabling the check
in /etc/profile to be made by one call to innetgr.
On some OS's the controls can be enforced by making
appropriate entries in that /etc/passwd and /etc/shadow
files, which gives tighter control than using /etc/profile,
which is downstream in the login process.

steve.smith@commerzbankib.com

Rob De Langhe wrote...
> 
> Jason,
> 
> I have successfully implemented the following setup already in a few
> companies:
> 
> 1) either with LDAP or with NIS (so generally: a global nameservice):
> maintain groups of users that define more or less their 'role' (like
> 'sysadmins' containing 'usera', 'userb', ...)
> In LDAP terms, this is 
> "cn=sysadmins,ou=groups,dc=your,dc=domain,dc=com"
> with "memberUid=usera" and so on.
> 
> 2) besides, maintain "netgroups" in your global nameservice, 
> to list the
> 'groups' that have access for each particular machine. I named these
> netgroups
> cn=hosta-access,ou=netgroup,dc=your,dc=domain,dc=com
> With members the groups that can login into this host
>    memberNisNetgroup: sysadmins
>    ...
> 
> 3) then I installed on each machine the same /etc/profile 
> script, doing the
> following:
> - if user is locally defined (in /etc/passwd) allow straight login.
> Otherwise:
> - collect the list of groups of which the login user is member, using
>    ldapsearch -h ldapserver -L -b "ou=groups,dc=your,dc=domain,dc=com"
> "memberUid=$LOGNAME" cn
> - collect the member-groups of netgroup "`uname -n`-access"
>    ldapsearch -h ldapserver -L -b 
> "ou=netgroup,dc=your,dc=domain,dc=com"
> "cn=`uname -n`-access" memberNisNetgroup
> - loop over both lists to check if the user is in group that 
> is member of
> the netgroup "`uname -n`-access"
> 
> Advantages: nothing specific to maintain on each individual 
> host, all is
> centrally managed
> Users cannot break out of login check, /etc/profile is very 
> first one to be
> executed even during "su - usera -c command" 
> 
> Good luck
> 
> Rob
> 
> 


********************************************************************** 
This is a commercial communication from Commerzbank AG.

This communication is confidential and is intended only for the person to
whom it is addressed.  If you are not that person you are not permitted to
make use of the information and you are requested to notify
<mailto:LONIB.Postmaster@commerzbankib.com> immediately that you have
received it and then destroy the copy in your possession.

Commerzbank AG may monitor outgoing and incoming e-mails. By replying to
this e-mail you consent to such monitoring. This e-mail message and any
attached files have been scanned for the presence of computer viruses.
However, you are advised that you open attachments at your own risk.

This email was sent either by Commerzbank AG, London Branch, or by
Commerzbank Securities, a division of Commerzbank.  Commerzbank AG is a
limited liability company incorporated in the Federal Republic of Germany.
Registered Company Number in England BR001025. Our registered address in
the UK is 23 Austin Friars, London, EC2P 2JD. We are regulated by the
Financial Services Authority for the conduct of investment business in the
UK and we appear on the FSA register under number 124920. 

**********************************************************************

Prev by Date: RE: managing workstation access.
Next by Date: ACI
Index(es):
- Chronological
- Thread