[Date Prev][Date Next]
RE: using ldap ssh, proftpd and apache.
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ottavio Campana
> I've used a lot ldap with samba to create multiple pdc.
> Now I want to use ldap for all my services.
> Let's suppose you've got a server with ssh, apache, proftpd,
> postfix, an
> imap server, a webmail and squid. Every user will
> have got the
> possibility of using the mailservices, I've read the
> documentation for
> it and I know how to do it.
> But I don't want that every user of the mailservices can
> even use ssh,
> ftp and so on. So I'd like to know if there's a way to store
> in ldap the
> information about the possibility of logging in with ssh,
> upload files
> with proftpd, use the proxy, accessing parte of the
> websites using an
> autetication system with apache.
> The documentation of proftpd says that it can connect
> with an ldap
> server but I cannot find a way to limit the access to
> the only
> autorizated users.
> For squid, ssh and apache I don't have got any idea.
> The only possible solution I've found is that if I
> use pam to
> autenticate my users I just can put something like
> this in the
> configuration files:
> auth required pam_ldap.so filter=(uid=*a*)
> So I could add some fields to my users like UserCanLogin,
> UserCanUseProxy and then filter them upon their values. But
> in this case
> I still have got a trouble: should I write a schema on my
> own to get
> these entries or does anyone of you know if there's
> something already
Symas' Unix LDAP gateway has attributes for Login/FTP privilege but in
general this is something that each application defines on its own. Apache
has a variety of authorization engines; ssh has its own authorization
mechanism as well. Whether they can pull their authorization data out of LDAP
is somewhat of an open question; last I checked sshd only uses local config
This question has nothing specific to do with OpenLDAP software. I don't
think it really belongs on the firstname.lastname@example.org list either, more appropriately
it should be raised on support forums for each of the software packages you
intend to use.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support