[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Basic ACL question...I think.

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: Basic ACL question...I think.
From: Ken Kleiner <ken@cs.uml.edu>
Date: Fri, 16 Apr 2010 12:58:21 -0400
Cc: openldap-technical@openldap.org
In-reply-to: <20100416164947.GF7107@slab.skills-1st.co.uk>
References: <DC94F45F-FAF4-4471-8E7B-AC850481822A@cs.uml.edu> <20100416164947.GF7107@slab.skills-1st.co.uk>

Hi,  Thanks for the reply.  I found that the pam ldap module does help, like using pam_groupdn to point to a group that contains (in memberuid) the people that I want to have access.  The problem with that is that
the nss library still sees the entries as valid uids, which I don't want.  Is there a similar module config I could use for libnss?

What defines the entries is just a group that I put them into, i.e. I create a group called emailusers and create a memberuid entry in that group for each user that I want to be visible.

On Apr 16, 2010, at 12:49 PM, Andrew Findlay wrote:

> On Fri, Apr 16, 2010 at 10:50:08AM -0400, Ken Kleiner wrote:
> 
>> What I'm trying to do is set up my ldap server so that when a specific host binds using a particular DN, that host only sees specific entries in the ou=People tree, so that getent, id, nss, pam, etc only recognizes those users.
>> 
>> Is this possible?  I'm stumped.  Thanks.
> 
> It is possible, but it may not be the best thing to do... If you want
> to restrict who can login on each machine then it may be better to use
> the authorisation facilities of the PAM LDAP module.
> 
> In any case, what defines the set of entries to be seen / permitted on
> each host? There are several ways that you might represent the set:
> LDAP groups, new attributes etc, and each would have result in
> different ACLs. I suspect that you do not want to define the set
> separately for each host, so some sort of group hierachy might be
> appropriate.
> 
> You will find a few examples here:
> 	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
> 
> Andrew
> -- 
> -----------------------------------------------------------------------
> |                 From Andrew Findlay, Skills 1st Ltd                 |
> | Consultant in large-scale systems, networks, and directory services |
> |     http://www.skills-1st.co.uk/                +44 1628 782565     |
> -----------------------------------------------------------------------

Ken Kleiner
System Manager
University of Massachusetts Lowell
Computer Science Department
978 934 3645

Follow-Ups:
- Re: Basic ACL question...I think.
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

References:
- Basic ACL question...I think.
  - From: Ken Kleiner <ken@cs.uml.edu>
- Re: Basic ACL question...I think.
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: Basic ACL question...I think.
Next by Date: Re: Basic ACL question...I think.
Index(es):
- Chronological
- Thread