Re: Howto setup OpenLDAP as ACL for Servers?

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Tuesday 23 June 2009 05:28:31 Olivier Nicole wrote:
> > I have many Windows 2003/Linux Server, and a OpenLDAP server as auth
> > server, I want setup ACL in OpenLDAP server, maybe user A allowed to
> > login in windows-1 server and Linux-1 server, and user B allowed to
> > login in windows-2 server and Linux-2 server.
> > How to setup it in OpenLDAP server?
>
> The question is not how to set-up LDAP, but how to setup your Windows
> and Linux servers.
>
> For example I use in nss_ldap.conf (Unix)
>
> nss_base_passwd
> ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=samba

pam_ldap also supports the 'host' and "authorizedService" attributes, if you 
rather want to do per-user per-server authorization. Please see the nss_ldap 
documentation regarding the pam_check_host_attr and pam_check_service_attr 
options.

(filtering users out at the nss level may be a bit drastic, as file ownerships 
might not be resolved correctly etc. Also, since pam configuration can be 
changed per-application, it is more flexible)

> And in smb.conf (samba)

I believe Samba supports a similar means to the pam_ldap host attribute, 
namely storing the "allowed workstations". This can be modified using the "User 
manager for domains" tool from a Windows PC, and I believe this ends up 
modifying the sambaMungedDial attribute.

This will only work if you have a samba domain controller, and users log in to 
the domain. Further discussion of the samba and windows-specific aspects really 
belongs on the samba lists.

Regards,
Buchan