[Date Prev][Date Next]
Re: Host based authentication using OpenLDAP
> And fyi, here's an example... For a given host:
> dn: cn=hostX,ou=hosts,dc=example,dc=com
> objectClass: ipHost
> objectClass: authorizedServiceObject
> cn: hostX
> ipHostNumber: 192.168.1.127
> authorizedService: sshd
> authorizedService: ftp
> you use the authorizedService attribute to list the PAM services that
> available. Then you set ACLs to control who can access each service,
> like so:
> access to dn.subtree=ou=hosts,dc=example,dc=com
> attrs=authorizedService val.exact=sshd
> by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
> by peername.ip=192.168.2.0%255.255.255.0 read
> by * search
> The overlay performs a Compare operation to check for the required
> service, so
> if you deny Compare access to a particular service, then users aren't
> to use that service.
Very nice! We did something like this for a hosting company that had users accounts with the services that
the user was allowed to access and the specific apps had the appropriate filters in the authz/auth searches.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html