[Date Prev][Date Next]
Re: Want interesting restrictions to ldap auth on different servers to different users
2010/11/19 Phuong Marie VUONG <firstname.lastname@example.org>:
> First, im sorry about my English. I share here my experience which worked
> for limit acces host/group of host for user...
> In the configuration of ldap client /etc/ldap.conf , i have activate the
> host attribute and a filter in nss_base_passwd
> pam_check_host_attr yes
> In the user entry, add the host attribute
> And in the host set, you can put the pattern value correpond of the level
> that you want to authorize to connect , for exe :
> Hope that can help
> 2010/11/19 c0re <email@example.com>
>> can you give an example of usage pam_check_host_attr?
>> And how can I use group of hosts and assign user to this group to
>> permit access user to this group avoiding enumerating hosts in users
>> dn each time I add new user?
>> What should I set in "host:"? Hostname of server? How host attr are
>> sent to pam_ldap?
>> 2010/11/18 Aaron Richton <firstname.lastname@example.org>:
>> > On Thu, 18 Nov 2010, c0re wrote:
>> >> I mean user user1 can must login only on server1,server2 and server3.
>> >> And user2 can login only on server5 and server2.
>> > You could probably overload almost anything (dyngroups, OpenLDAP ACLs,
>> > search filters, who knows) to accomplish this, but the cleanest way to
>> > do
>> > this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap
>> > because you mentioned "pam_groupdn" which is not an OpenLDAP
>> > configuration
>> > directive.
I moved a bit different way.
I used pam_groupdn in ldap.conf and created a group for each server.
Now if I add user to ldap, I need to add to groups "memberUid:
`userdn`". And user will be able to login to those servers in which
groups is user as a member.
But if I got 100-200 servers and want to give access to new user to
all this servers, I should add user to all groups. Of course it's a
waste of time and it's possible to be done via some external
shell/perl script, but may be there another way in openldap?
pam_check_host_attr do almost same. If I add user - I need to add all
hosts to user attr "host:". So it's same work I think.