Re: Host based authentication using OpenLDAP

[Howard Chu <hyc@symas.com>]

Howard Chu wrote:
> Howard Chu wrote:
> > John Kane wrote:
> > > Sorry to jump in the middle of this thread, but the nssov overlay sounds
> > very useful, something I would like to take advantage of, but I cannot seem to
> > find any documentation on it. How long has this been available (what release),
> > and where might I find more info?
> >
> > It has not been released yet.
>
> Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
> it only had NSS support. The PAM support is currently only in CVS.
>
> > You can check out the current code from CVS in
> > contrib/slapd-modules/nssov. You can browse it online here:
> >
> > http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
> >
> > The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:

dn: cn=hostX,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: authorizedServiceObject
cn: hostX
ipHostNumber: 192.168.1.127
authorizedService: sshd
authorizedService: ftp

you use the authorizedService attribute to list the PAM services that are 
available. Then you set ACLs to control who can access each service, like so:

access to dn.subtree=ou=hosts,dc=example,dc=com
  attrs=authorizedService val.exact=sshd
  by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
  by peername.ip=192.168.2.0%255.255.255.0 read
  by * search

The overlay performs a Compare operation to check for the required service, so 
if you deny Compare access to a particular service, then users aren't allowed 
to use that service.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/