[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host based authentication using OpenLDAP

Gavin Henry wrote:

----- "Per Kristiansen"<perk@funcom.com>  wrote:

Hello, I've been working on implementing a LDAP solution for the last
months (in-between task, you know how it is :D )

Time flies!

I now have a working LDAP directory, have all my users imported,
actually work! :D..(jinx!)

Excellent work, well done!

But now I wanna get fancy..

I've been googeling for some sort of clear description on how I can
up a system using groups of hosts and user groups to create a
ACL for ssh'ing to a set of servers based on group membership.

It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?

ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/