[Date Prev][Date Next]
Re: Host based authentication using OpenLDAP
----- "Howard Chu" <email@example.com> wrote:
> Gavin Henry wrote:
> > ----- "Per Kristiansen"<firstname.lastname@example.org> wrote:
> >> Hello, I've been working on implementing a LDAP solution for the
> >> 8
> >> months (in-between task, you know how it is :D )
> > Time flies!
> >> I now have a working LDAP directory, have all my users imported,
> >> things
> >> actually work! :D..(jinx!)
> > Excellent work, well done!
> >> But now I wanna get fancy..
> >> I've been googeling for some sort of clear description on how I
> >> set
> >> up a system using groups of hosts and user groups to create a
> >> selective
> >> ACL for ssh'ing to a set of servers based on group membership.
> > It sounds to me like you are almost here and just need help creating
> the LDAP groups, ACLs
> > and LDAP search/filters for use with nss_ldap on RHEL 4/5 and
> ACLs for nss_ldap is not the way to handle this. It needs to be done
> in the
> PAM account management handlers, and pam_ldap's support for that is
> weak. In particular, it doesn't support centrally configuring access
> services on groups of hosts. The PAM support in nssov is a lot better
> in this
> area and can do what the original poster wants; I just haven't written
> example ACL for this feature in the docs yet.
OK. My line of thinking was to create dynamic service and host groups
and create simple group ACLs for that. These groups would go in the nss config
on specific hosts using something like puppet to manage the 60-80 hosts.
I've not looked at nssov so couldn't comment, other than doing the start of man page for you Howard.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html