[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting host access

To: Jayavant Patil <jayavant.patil82@gmail.com>
Subject: Re: Limiting host access
From: Bill MacAllister <whm@stanford.edu>
Date: Sun, 20 Nov 2011 23:15:56 -0800
Cc: openldap-technical@openldap.org
Content-disposition: inline; size=2696
In-reply-to: <CAPDKCfdeLAJTeG-Wfr=4v09BpEhv_BuP9d8Xv+-ymyCM0VTizQ@mail.gmail.com>
References: <CAPDKCfey2rSXdv=0BT2YBj14OSYUAOhqpBdML3Pdt52BOhLP3g@mail.gmail.com> <28678B1333ADF74E123B73B7@10.0.0.32> <CAPDKCfdeLAJTeG-Wfr=4v09BpEhv_BuP9d8Xv+-ymyCM0VTizQ@mail.gmail.com>



--On Monday, November 21, 2011 12:05:18 PM +0530 Jayavant Patil <jayavant.patil82@gmail.com> wrote:

Hi,

  I want to restrict login access to some selected client nodes (by
default, openldap allows user access to all client nodes).


OpenLDAP alone does not restrict login access to nodes.  It can be
configured to hold information used by other software to restrict
access to nodes.  Generally pam_ldap or pam-ldapd is used to control
access to individual nodes.  Both packages have documentation and well
commented configuration files.  You should look at there first.

I have googled
for this, tried many different configurations like host
attribute,hostObject class etc. but failed to get the required.


Okay, it is still unclear what you have tried.  You mean you populated
your directory with some data.  That is fine, but it is not the
OpenLDAP LDAP server that will restrict access.  Rather, if you
configure your PAM stack correctly it will read the information that
you have stored in the directory and use that to control access to
your systems.

Note, there are many controls that you can use to get to where you
want.  For example, you can configure the ACLs on your LDAP server to
not release information to some hosts using IP based access control
entries.  Or you can put your users in a group in the directory and
configure pam_ldap to only allow members of the group to login.  There
are lots of other possible configurations depending on what you works
best for you.

Bill

P.S. Top posting makes message streams like this a lot harder to read.


On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister <whm@stanford.edu> wrote:



--On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil <
jayavant.patil82@gmail.com> wrote:

 Hi,


  I am using openldap-2.4.19-4 on fedora 12 machine. My question is as
follows:

  How to restrict a user access to some client nodes?

  Please, explain in detail.


It is not clear what you want to do.  You need to provide more details
before you will get the answer that you want.

For example, if you just want to restrict access to the directory from
some nodes, why not use iptables.

If you are talking about restricting login access to some linux nodes
using PAM, this is probably a better question for a PAM list.  Of course,
there will be folks on this list that can answer that question as well,
but not without knowing what you are storing in your directory.

Bill


--

Bill MacAllister
Infrastructure Delivery Group, Stanford University




--

Bill MacAllister
Infrastructure Delivery Group, Stanford University

References:
- Limiting host access
  - From: Jayavant Patil <jayavant.patil82@gmail.com>
- Re: Limiting host access
  - From: Jayavant Patil <jayavant.patil82@gmail.com>

Prev by Date: Re: Limiting host access
Next by Date: Re: Limiting host access
Index(es):
- Chronological
- Thread