Re: Access control for services

[Jan-Piet Mens <jpm@Retail-SC.com>]

Yes, it is possible, but may require some work. I've done it for
Squid by writing an external authenticator which searches for
a user by using an appropriate filter (&(uid=xxx)(httpaccess=ok)) and
having an slapd index on all attributes to make it fast. That was no
big problem. You could take the contrib `ldap-auth' and hack that in.

Sendmail may be a bigger problem. Just thinking out loud here: if
sendmail would recognize a user as being local when using nss_ldap
then you could easily hack nss_ldap to use an appropriate filter.
Otherwise I wouldn't know how...

FTP should be easy: try ProFTPD which supports LDAP. You can possibly
use your own filter.

Regards,
	-JP




On Sat, 20 Jan 2001, Shanker Balan wrote:

> Hello:
>
> Is there any mechanism by which i can provide selective access to
> services like FTP, Proxy etc by referring to a user's attributes stored
> on a LDAP database?
>
> For example, if the attribute "httpaccess: 0" exists in a user's ldif entry,
> that user should be denied proxy access using squid. Similarly, if the ldif
> entry has the attribute "mailaccess: 0", Sendmail should automatically
> reject mails coming to this user saying "no such user".
>
> Has anybody implemented such a tight access control on a service by
> service basis? Can this be achieved?
>
> -- Shanu
>
> Mulder: You can't bury the truth!
>
> 	"The X-Files: Aprocrypha"
>
>