[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users

To: openldap-technical@openldap.org
Subject: Re: Want interesting restrictions to ldap auth on different servers to different users
From: c0re <nr1c0re@gmail.com>
Date: Mon, 29 Nov 2010 11:03:18 +0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=/KmaTaqDHtKJr90q3uSNcM+TbTUjAkEf8k0vTfWTrXE=; b=eaQLEpcsKA8jKD+TK1fNGBaGLyVI7/Q5biz2ypCNo8M6WXhI0DImQ17LRxTY8mCNeV 8jMnmx74yW9OrkbAXZghfRTFkkKIwj9lGAkxBmIADoIKGNaiwbgTScQDyy7DB4thaSWW 8k0uzWYyjWou0/a+vDLSE07QeN33OecNwznCU=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=SbP6jQFrFy2Leusule1pQ39zfJ8z7fjkRT9YlosmzunoJq/CHw+WenrTEN1Ybja0Hw aSkBAWX1NfODxuHPgzvGgPLqxnMWa9lsntRdCKRCVHKpH7m9FtYwyH3Saywm0AJzsmDe PQSGzMFxSo9glyKBNJ4g/2SHFzioB9xZmtoEo=
In-reply-to: <AANLkTi=-A5XP_u8AjJBk-PvogpM-1xnqqPur0cvo7Smm@mail.gmail.com>
References: <AANLkTin9QFwD4zPhB1sfUSpjZjTvK0=SRZUSEgGCXdY5@mail.gmail.com> <alpine.SOC.2.00.1011181054390.17810@toolbox.rutgers.edu> <AANLkTik3__grNixCFZNZmq+AxJjcFGxTp8z82N8sZj6k@mail.gmail.com> <AANLkTi=-A5XP_u8AjJBk-PvogpM-1xnqqPur0cvo7Smm@mail.gmail.com>

2010/11/19 Phuong Marie VUONG <mangocphung@gmail.com>:
> Hello,
>
> First, im sorry about my English. I share here my experience which worked
> for limit acces host/group of host for user...
>
> In the configuration of ldap client /etc/ldap.conf , i have activate the
> host attribute and a filter in nss_base_passwd
> pam_check_host_attr yes
> nss_base_passwd
> ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)
>
> In the user entry, add the host attribute
> And in the host set, you can put the pattern value correpond of the level
> that you want to authorize to connect , for exe :
> hostname.domain
> or
> PatternofHostGroup
> or
> *
>
> Hope that can help
>
>
> 2010/11/19 c0re <nr1c0re@gmail.com>
>>
>> can you give an example of usage pam_check_host_attr?
>>
>> And how can I use group of hosts and assign user to this group to
>> permit access user to this group avoiding enumerating  hosts in users
>> dn each time I add new user?
>>
>> What should I set in "host:"? Hostname of server? How host attr are
>> sent to pam_ldap?
>>
>> 2010/11/18 Aaron Richton <richton@nbcs.rutgers.edu>:
>> > On Thu, 18 Nov 2010, c0re wrote:
>> >
>> >> I mean user user1 can must login only on server1,server2 and server3.
>> >> And user2 can login only on server5 and server2.
>> >
>> > You could probably overload almost anything (dyngroups, OpenLDAP ACLs,
>> > search filters, who knows) to accomplish this, but the cleanest way to
>> > do
>> > this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap
>> > because you mentioned "pam_groupdn" which is not an OpenLDAP
>> > configuration
>> > directive.
>> >
>
>
>
> --
> Milan&Phuong
> 06.17.34.09.77
> 09.53.57.04.94
> http://www.phuong.fr/photos/
>
>
>
I moved a bit different way.

I used pam_groupdn in ldap.conf and created a group for each server.
Now if I add user to ldap, I need to add to groups "memberUid:
`userdn`". And user will be able to login to those servers in which
groups is user as a member.
But if I got 100-200 servers and want to give access to new user to
all this servers, I should add user to all groups. Of course it's a
waste of time and it's possible to be done via some external
shell/perl script, but may be there another way in openldap?

pam_check_host_attr do almost same. If I add user - I need to add all
hosts to user attr "host:". So it's same work I think.

Follow-Ups:
- Re: Want interesting restrictions to ldap auth on different servers to different users
  - From: Howard Chu <hyc@symas.com>

References:
- Want interesting restrictions to ldap auth on different servers to different users
  - From: c0re <nr1c0re@gmail.com>
- Re: Want interesting restrictions to ldap auth on different servers to different users
  - From: Aaron Richton <richton@nbcs.rutgers.edu>
- Re: Want interesting restrictions to ldap auth on different servers to different users
  - From: c0re <nr1c0re@gmail.com>

Prev by Date: OpenLDAP runs OK, Mac Mail and Address book do not display entries.
Next by Date: Re: how to compile recent openldap on Centos 5.5
Index(es):
- Chronological
- Thread