Re: Basic ACL question...I think.

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Fri, Apr 16, 2010 at 10:50:08AM -0400, Ken Kleiner wrote:

> What I'm trying to do is set up my ldap server so that when a specific host binds using a particular DN, that host only sees specific entries in the ou=People tree, so that getent, id, nss, pam, etc only recognizes those users.
> 
> Is this possible?  I'm stumped.  Thanks.

It is possible, but it may not be the best thing to do... If you want
to restrict who can login on each machine then it may be better to use
the authorisation facilities of the PAM LDAP module.

In any case, what defines the set of entries to be seen / permitted on
each host? There are several ways that you might represent the set:
LDAP groups, new attributes etc, and each would have result in
different ACLs. I suspect that you do not want to define the set
separately for each host, so some sort of group hierachy might be
appropriate.

You will find a few examples here:
	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------