Re: Host based authentication using OpenLDAP

[Howard Chu <hyc@symas.com>]

Gavin Henry wrote:
> ----- "Per Kristiansen"<perk@funcom.com>  wrote:
>
> > Hello, I've been working on implementing a LDAP solution for the last
> > 8
> > months (in-between task, you know how it is :D )
>
> Time flies!
>
> > I now have a working LDAP directory, have all my users imported,
> > things
> > actually work! :D..(jinx!)
>
> Excellent work, well done!
>
> > But now I wanna get fancy..
> >
> > I've been googeling for some sort of clear description on how I can
> > set
> > up a system using groups of hosts and user groups to create a
> > selective
> > ACL for ssh'ing to a set of servers based on group membership.
>
> It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs
> and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?

ACLs for nss_ldap is not the way to handle this. It needs to be done in the 
PAM account management handlers, and pam_ldap's support for that is pretty 
weak. In particular, it doesn't support centrally configuring access to 
services on groups of hosts. The PAM support in nssov is a lot better in this 
area and can do what the original poster wants; I just haven't written an 
example ACL for this feature in the docs yet.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/