[Date Prev][Date Next] [Chronological] [Thread] [Top]

Limiting host access

To: <jayavant.patil82@gmail.com>
Subject: Limiting host access
From: <Juergen.Sprenger@swisscom.com>
Date: Tue, 22 Nov 2011 09:36:19 +0000
Accept-language: en-US, de-CH
Cc: openldap-technical@openldap.org
Content-language: en-US
Thread-index: Acyo+i2b3o/gr7axR925qLhibc/meQ==
Thread-topic: Limiting host access

Hi,

You might want to check out nisNetgroup functionality.

1. add rfc2307bis to Your nis.schema:

#attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
#       DESC 'Netgroup triple'
#       SYNTAX 1.3.6.1.1.1.0.0 )

# rfc2307bis
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )


2. add nis-netgroups to Your directory:

dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
description: users allowed to log in to myhostname
cn: myhostname
nisNetgroupTriple: (,user1,)
nisNetgroupTriple: (,user2,)
...

3. add compat-mode to nsswitch.conf:

passwd: compat
passwd_compat:  ldap
group:  compat
group_compat:    ldap

4. add netgroup-entries to /etc/passwd and /etc/shadow:

Last line of /etc/passwd:
+@ myhostname:x:::::

Last line of /etc/shadow:
+@ myhostname:NP:::::::


Now only local users and users listed in 
dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
can log in to the machine.

For easy administration You can group together users 
in netgroups and allow those as memberNisNetgroup:

dn: cn=myhostname,ou=Netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
description: users allowed to log in to myhostname
cn: myhostname
memberNisNetgroup: rhdmin
memberNisNetgroup: mysqldba
...



Regards

Juergen Sprenger

Prev by Date: proxy authentication
Next by Date: Re: proxy authentication
Index(es):
- Chronological
- Thread