[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting Host Access

To: Dan Parker <drpLO@helios.hampshire.edu>
Subject: Re: Limiting Host Access
From: Craig Squires <csquires@math.mun.ca>
Date: Fri, 12 Apr 2002 13:09:15 -0230 (NDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.GSO.3.96.1020412111434.5125F-100000@helios.hampshire.edu>

There's a pam module called pam_access that uses (on Redhat systems)
/etc/security/access.conf to control individual or group access. You
then configure login etc. to use that pam module.

Craig

On Fri, 12 Apr 2002, Dan Parker wrote:

> 
> On client host 'b' I don't want users 3, 4, or 5 to be able to login at
> all.  It should behave as if they don't have an account (they can try
> logging in but will always fail regardless of the password).  I sort of
> envisioned an attribute on the LDAP server like 'allowedHosts' where you
> could enter what hosts a particular user is allowed to login to.  Since
> that doesn't exist, I'm not sure what to do.
> 
> We have a fileserver that vritually everyone should be able to login to.
> We also have a webserver that very few people should be able to login to.
> How do I maintain all of the accounts in an LDAP server but only allow
> authorized users to login to the web server?
> 
> Dan
> 
> On Fri, 12 Apr 2002, Patrice Lallement wrote:
> 
> > Could you be more explicit? Depends on what you need to protect exactly. If it's only applications (like the access to your web server, or mail server), this has to be done with acl defined for users and group on the ldap server, and the ability of serv
> 
> ers like apache, postfix etc. to authenticate against a LDAP database. Same thing for pam_ldap & nss_ldap (for centralized password management)
> > If you really want to protect some of your server of any access, you can use netfilter (shipped with linux kernel 2.4) or ipchains (kernel 2.2). (perhaps this a bit definitive!). I'm sure there are a lot of other solutions, but once again it depends of 
> 
> your exact needs.
> > 
> > Patrice
> > 
> > On Fri, 12 Apr 2002 10:55:12 -0400 (EDT)
> > Dan Parker <drpLO@helios.hampshire.edu> wrote:
> > 
> > > Hi,
> > > 
> > > I have an OpenLDAP 2.0.23 server performing authentication.  I'd like
> > > several hosts to be able to authenticate to it (for centralized
> > > password management) but I don't necessarily want all users to be able
> > > to access all hosts.
> > > 
> > > For example:
> > > 
> > > Client hosts: a, b
> > > Server: s
> > > Users 1 2 3 4 5
> > > 
> > > 
> > > Accounts for all users are stored in server s.
> > > 
> > > I'd like host 'a' to allow all users to login.
> > > 
> > > I'd like host 'b' to only allow users 1 and 2 to login.
> > > 
> > > 
> > > Where can I set this kind of control?  I've looked in a number of
> > > places for an answer with no luck, making me wonder if the solution is
> > > embarassingly simple.  Oh, well.  Any help is greatly appreciated.
> > > 
> > > Dan Parker
> > > Sr. Systems Administrator		
> > > Hampshire College
> > > Amherst, MA
> > > 
> > > 
> > 
> 

-- 
........................................................................
$Id: mathdeptsysadmin,v 2.0 Fri Apr 12 13:05:10 2002 Craig Squires Exp $
Your excuse is: Your computer hasn't been returning all the bits it gets
from the Internet.
[Excuse courtesy of The BOFH-style Excuse Server: nc riemann excuses]

References:
- Re: Limiting Host Access
  - From: Dan Parker <drpLO@helios.hampshire.edu>

Prev by Date: RE: Limiting Host Access
Next by Date: openldap x509 user authentification and CRL checking
Index(es):
- Chronological
- Thread