[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Starting out with NSS overlay - Guidance required

To: ptw <pmatulis@papamike.ca>
Subject: Re: Starting out with NSS overlay - Guidance required
From: Howard Chu <hyc@symas.com>
Date: Fri, 09 Dec 2011 12:36:36 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <CAF9_hByjacJbSJERGwcmpDwRVtJBfoJLQL2cYWxRT9DzyYZMow@mail.gmail.com>
References: <CAF9_hByjacJbSJERGwcmpDwRVtJBfoJLQL2cYWxRT9DzyYZMow@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0a1) Gecko/20111001 Firefox/10.0a1 SeaMonkey/2.7a1

ptw wrote:

Hi gang!

I'm looking for some guidance in what is most probably a very common
objective.  Which is to manage all authentication to network hosts
from slapd.  To begin, my goal is to have:

1. one machine (generically-configured LDAP client) running sshd
(10.153.107.100)
2. multiple LDAP users
3. specify, from slapd, that only one user (tony) can log in over ssh
to the machine

Surprisingly, I have not found much documentation on this stuff beyond
the slapo-nssov man page.

The man page contains everything you need to know. You just need to payattention to the details.

These are the entries I have so far:

for slapd-config:

# NSSOV
dn: olcOverlay=nssov,ocDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: nssov
olcNssSsd: passwd ldap:///ou=People,dc=example,dc=com??one
olcNssSsd: group ldap:///ou=People,dc=example,dc=com??one


ou=People is obviously wrong there.

olcNssSsd: hosts ldap:///ou=People,dc=example,dc=com??one


ou=People is obviously wrong there too.

olcNssPam: hostservice uid2dn
olcNssPamSession: sshd

# ACL
dn: olcDatabase={1}hdb,cn=config
olcAccess: to attrs=userPassword by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * none
olcAccess: to * by self write by * read

olcAccess: to dn.exact=cn=host1.example.com,ou=Hosts,dc=example,dc=com
attrs=authorizedservice
by dn.exact=cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com compare
  by * read


This ACL will never be seen/used since it comes after access "to *".

==================

The sshd host, user&  group entries from my regular hdb-based DIT:

# NSSOV HOST and USER
dn: cn=host1.example.com,ou=Hosts,dc=example,dc=com
objectClass: device
objectClass: top
objectClass: ipHost
objectClass: authorizedServiceObject
cn=host1.example.com
ipHostNumber: 10.153.107.100
authorizedService: sshd

dn: cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: ssh-host1-server_access
gidNumber: 6000

dn: uid=tony,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tony
cn: Tony Doe
uidNumber: 11000
gidNumber: 6000
userPassword: tonyldap
loginShell: /bin/bash
homeDirectory: /home/tony

===================

Anyone?

Thanks in advance,

Peter



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Starting out with NSS overlay - Guidance required
  - From: ptw <pmatulis@papamike.ca>

Prev by Date: Re: Seemingly broken database
Next by Date: Re: Syncrepl SSL fail
Index(es):
- Chronological
- Thread