[Date Prev][Date Next]
Re: Host based authentication using OpenLDAP
Gavin Henry wrote:
----- "Per Kristiansen"<firstname.lastname@example.org> wrote:
Hello, I've been working on implementing a LDAP solution for the last
months (in-between task, you know how it is :D )
I now have a working LDAP directory, have all my users imported,
actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can
up a system using groups of hosts and user groups to create a
ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the
PAM account management handlers, and pam_ldap's support for that is pretty
weak. In particular, it doesn't support centrally configuring access to
services on groups of hosts. The PAM support in nssov is a lot better in this
area and can do what the original poster wants; I just haven't written an
example ACL for this feature in the docs yet.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/