[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting Host Access

On client host 'b' I don't want users 3, 4, or 5 to be able to login at
all.  It should behave as if they don't have an account (they can try
logging in but will always fail regardless of the password).  I sort of
envisioned an attribute on the LDAP server like 'allowedHosts' where you
could enter what hosts a particular user is allowed to login to.  Since
that doesn't exist, I'm not sure what to do.

We have a fileserver that vritually everyone should be able to login to.
We also have a webserver that very few people should be able to login to.
How do I maintain all of the accounts in an LDAP server but only allow
authorized users to login to the web server?


On Fri, 12 Apr 2002, Patrice Lallement wrote:

> Could you be more explicit? Depends on what you need to protect exactly. If it's only applications (like the access to your web server, or mail server), this has to be done with acl defined for users and group on the ldap server, and the ability of serv

ers like apache, postfix etc. to authenticate against a LDAP database. Same thing for pam_ldap & nss_ldap (for centralized password management)
> If you really want to protect some of your server of any access, you can use netfilter (shipped with linux kernel 2.4) or ipchains (kernel 2.2). (perhaps this a bit definitive!). I'm sure there are a lot of other solutions, but once again it depends of 

your exact needs.
> Patrice
> On Fri, 12 Apr 2002 10:55:12 -0400 (EDT)
> Dan Parker <drpLO@helios.hampshire.edu> wrote:
> > Hi,
> > 
> > I have an OpenLDAP 2.0.23 server performing authentication.  I'd like
> > several hosts to be able to authenticate to it (for centralized
> > password management) but I don't necessarily want all users to be able
> > to access all hosts.
> > 
> > For example:
> > 
> > Client hosts: a, b
> > Server: s
> > Users 1 2 3 4 5
> > 
> > 
> > Accounts for all users are stored in server s.
> > 
> > I'd like host 'a' to allow all users to login.
> > 
> > I'd like host 'b' to only allow users 1 and 2 to login.
> > 
> > 
> > Where can I set this kind of control?  I've looked in a number of
> > places for an answer with no luck, making me wonder if the solution is
> > embarassingly simple.  Oh, well.  Any help is greatly appreciated.
> > 
> > Dan Parker
> > Sr. Systems Administrator		
> > Hampshire College
> > Amherst, MA
> > 
> >