[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie question about host base authentication

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Newbie question about host base authentication
From: Simone Scremin <simone.scremin@gmail.com>
Date: Mon, 29 Oct 2012 15:29:19 +0100
Cc: Olivier <ldap@guillard.nom.fr>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=/qBdkzELi+DJzLuakVv4y6ZsqSi+O3kJeX1LRlr7U2M=; b=WeZcPk5PYHKEtaud0iRdbltRG5W4hv2/3oGIYy6PU5qW5WIFUKf9AEDB0IOxAvvMFq tDUBBmuxd64i/wJwH5/HOyF/SEjPHQDIkWGxptKcGv00SeGegtE8kwmVZWuOJ2jLoO/T q2uMOiFpGsZX+U6goQNxsQj4wvZTAxtekPGXE864+ukWmLysGSZByI8G8JBuJRmGPJDV Mw4+3XvvRbCRy5udbUyey6iG5GcFMGFtPV589/ljQuMVyQTYXebF5E0Xvvqq53DDK7Gx s60bHhNhgHtr5lw8Uji3kAp+zkM5kLj3eg2rzK+LUQMrxBweZkFIMNlxdsw/dPXBnJSQ gB2A==
In-reply-to: <CA+5QeXQ-zZcobg7YVPxt4jWe0y5qBNFSv5SXw_0_C=2iEhnrSg@mail.gmail.com>
References: <FE365979-0431-4FDE-AAFF-51E11618B197@gmail.com> <CA+5QeXQ-zZcobg7YVPxt4jWe0y5qBNFSv5SXw_0_C=2iEhnrSg@mail.gmail.com>

Hi Olivier,
thanks for the fast answer.
I'm looking at pam_ldap component and I already saw the host based authentication that enables to list hostnames on the server per user.
Your idea, if I'm not mistaken, would be to specify this host parameter as some kind of LDAP data structure (ie: groupOfNames) and have the authentication mechanism match on that structure.
I'm looking at groupOfNames and it's not clear to me if it can really be used for that purpose but the most obscure point is where the logic for the matching should go.
I'm really open to any input on this subject whether it is some example of already implemented solutions or just some direction on how to go forward with the development.

Thank you

Simone 

On Oct 29, 2012, at 2:40 PM, Olivier <ldap@guillard.nom.fr> wrote:

>   ---Previous mail sent accidently before ending (sorry for doublon)---
> 
> Feasable it is (there different ways to do that).
> 
> BTW, I'm also interested to gather some input on that topic.
> 
> @simone : I suggest that you look at pam  mecanisms :
>                 http://www.padl.com/OSS/pam_ldap.html
>                 And more specifically at the access.conf syntax.
> 
>                 You may be interested in :
>                  Hosts, posix groups, group of names  and netgroups
> 
> 
> @list : I would appreciate some input from others about the
>           best way to store hosts in ldap for this kind of usage :
> 
>           Which container to use for hosts (structural class account?
>           device ? ... )
> 
>           How to deal with groups of hosts : groupOfNames ? posixGroup ?
> 
>           Any advice ?
> 
> Thanks,
> 
> 
> 2012/10/29 Simone Scremin <simone.scremin@gmail.com>:
>> Hi all,
>> I'm in the process of learning the OpenLDAP authentication mechanics.
>> I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
>> 
>> In example:
>> 
>> user Bob needs to authenticate on systems:
>> 
>> sys01pra
>> sys02pre
>> sys03pra
>> sys03pre
>> 
>> some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
>> 
>> sys0*pr*
>> 
>> Is it feasable?
>> 
>> Thanks
>> 
>> Simone
>>

References:
- Newbie question about host base authentication
  - From: Simone Scremin <simone.scremin@gmail.com>

Prev by Date: Newbie question about host base authentication
Next by Date: Re: Newbie question about host base authentication
Index(es):
- Chronological
- Thread