[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6495) nssov patch to better emulate pam_ldap behaviour

kean.johnston@gmail.com wrote:
> Full_Name: Kean Johnston
> Version: HEAD
> OS: Linux (CentOS 5.3)
> URL: ftp://ftp.openldap.org/incoming/kean-johnston-100321.patch
> Submission from: (NULL) (
> The nssov manual page states that some of it's options "duplicates the original
> pam_ldap authorization behavior". However, they don't quite. pam_ldap has the
> ability for you to use "wildcards" in a user's host: attribute. I say
> "wildcards" in quotes because the pam_ldap implementation does not actually use
> regex matching, but rather check for two special strings, "*" and "!".
> The ability to use actual wildcards, especially ones you can negate, on a per
> user basis is extremely useful to an administrator of large networks. For
> example you may want all developers to have access to the machines in
> developers.mydomain.com but you want to disallow access to some of those
> machines to contractors or interns.
> This patch allows such behaviour, so it serves the dual purpose of actually
> implementing existing pam_ldap behaviour in case people already depend on that,
> as well as extends it to be a more generally usable feature by using actual
> regular expressions. The code is simple, and the man page change describes it
> well enough. Please consider adding this code to nssov. Thank you.
Authorization is the job of the ACL engine. Putting ad-hoc rules into user 
entries is, in a word, stupid. It's also unscaleable and will become an 
administration nightmare.

The user host attribute functionality is deprecated. I have no desire to make 
it even vaguely appear to be useful.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/