[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: managing workstation access.


I have successfully implemented the following setup already in a few

1) either with LDAP or with NIS (so generally: a global nameservice):
maintain groups of users that define more or less their 'role' (like
'sysadmins' containing 'usera', 'userb', ...)
In LDAP terms, this is "cn=sysadmins,ou=groups,dc=your,dc=domain,dc=com"
with "memberUid=usera" and so on.

2) besides, maintain "netgroups" in your global nameservice, to list the
'groups' that have access for each particular machine. I named these
With members the groups that can login into this host
   memberNisNetgroup: sysadmins

3) then I installed on each machine the same /etc/profile script, doing the
- if user is locally defined (in /etc/passwd) allow straight login.
- collect the list of groups of which the login user is member, using
   ldapsearch -h ldapserver -L -b "ou=groups,dc=your,dc=domain,dc=com"
"memberUid=$LOGNAME" cn
- collect the member-groups of netgroup "`uname -n`-access"
   ldapsearch -h ldapserver -L -b "ou=netgroup,dc=your,dc=domain,dc=com"
"cn=`uname -n`-access" memberNisNetgroup
- loop over both lists to check if the user is in group that is member of
the netgroup "`uname -n`-access"

Advantages: nothing specific to maintain on each individual host, all is
centrally managed
Users cannot break out of login check, /etc/profile is very first one to be
executed even during "su - usera -c command" 

Good luck


-----Original Message-----
From: Jason C. Leach [mailto:jleach@ocis.net] 
Sent: Tuesday, June 24, 2003 10:04 PM
To: openldap-software@OpenLDAP.org
Subject: managing workstation access.


Does anyone have some good ideas on how to manage workstation access with
LDAP.  For example, if I add a user to the LDAP DB they get access (an
account) on all workstations A, B and C. But suppose I dont' want them to
have access to workstation C? Can I limit that some how?


..... Jason C. Leach

Current PGP/GPG Key ID: 43AD2024