[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host based authentication using OpenLDAP

Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to
find any documentation on it. How long has this been available (what release),
and where might I find more info?

It has not been released yet.

Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
it only had NSS support. The PAM support is currently only in CVS.

You can check out the current code from CVS in
contrib/slapd-modules/nssov. You can browse it online here:


The README and slapo-nssov.5 manpage will give you a better idea of what it does.

And fyi, here's an example... For a given host:

dn: cn=hostX,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: authorizedServiceObject
cn: hostX
authorizedService: sshd
authorizedService: ftp

you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:

access to dn.subtree=ou=hosts,dc=example,dc=com
  attrs=authorizedService val.exact=sshd
  by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
  by peername.ip= read
  by * search

The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/