[Date Prev][Date Next]
RE: managing workstation access.
I have successfully implemented the following setup already in a few
1) either with LDAP or with NIS (so generally: a global nameservice):
maintain groups of users that define more or less their 'role' (like
'sysadmins' containing 'usera', 'userb', ...)
In LDAP terms, this is "cn=sysadmins,ou=groups,dc=your,dc=domain,dc=com"
with "memberUid=usera" and so on.
2) besides, maintain "netgroups" in your global nameservice, to list the
'groups' that have access for each particular machine. I named these
With members the groups that can login into this host
3) then I installed on each machine the same /etc/profile script, doing the
- if user is locally defined (in /etc/passwd) allow straight login.
- collect the list of groups of which the login user is member, using
ldapsearch -h ldapserver -L -b "ou=groups,dc=your,dc=domain,dc=com"
- collect the member-groups of netgroup "`uname -n`-access"
ldapsearch -h ldapserver -L -b "ou=netgroup,dc=your,dc=domain,dc=com"
"cn=`uname -n`-access" memberNisNetgroup
- loop over both lists to check if the user is in group that is member of
the netgroup "`uname -n`-access"
Advantages: nothing specific to maintain on each individual host, all is
Users cannot break out of login check, /etc/profile is very first one to be
executed even during "su - usera -c command"
From: Jason C. Leach [mailto:email@example.com]
Sent: Tuesday, June 24, 2003 10:04 PM
Subject: managing workstation access.
Does anyone have some good ideas on how to manage workstation access with
LDAP. For example, if I add a user to the LDAP DB they get access (an
account) on all workstations A, B and C. But suppose I dont' want them to
have access to workstation C? Can I limit that some how?
..... Jason C. Leach
Current PGP/GPG Key ID: 43AD2024