[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: managing workstation access.
Jason,
I have successfully implemented the following setup already in a few
companies:
1) either with LDAP or with NIS (so generally: a global nameservice):
maintain groups of users that define more or less their 'role' (like
'sysadmins' containing 'usera', 'userb', ...)
In LDAP terms, this is "cn=sysadmins,ou=groups,dc=your,dc=domain,dc=com"
with "memberUid=usera" and so on.
2) besides, maintain "netgroups" in your global nameservice, to list the
'groups' that have access for each particular machine. I named these
netgroups
cn=hosta-access,ou=netgroup,dc=your,dc=domain,dc=com
With members the groups that can login into this host
memberNisNetgroup: sysadmins
...
3) then I installed on each machine the same /etc/profile script, doing the
following:
- if user is locally defined (in /etc/passwd) allow straight login.
Otherwise:
- collect the list of groups of which the login user is member, using
ldapsearch -h ldapserver -L -b "ou=groups,dc=your,dc=domain,dc=com"
"memberUid=$LOGNAME" cn
- collect the member-groups of netgroup "`uname -n`-access"
ldapsearch -h ldapserver -L -b "ou=netgroup,dc=your,dc=domain,dc=com"
"cn=`uname -n`-access" memberNisNetgroup
- loop over both lists to check if the user is in group that is member of
the netgroup "`uname -n`-access"
Advantages: nothing specific to maintain on each individual host, all is
centrally managed
Users cannot break out of login check, /etc/profile is very first one to be
executed even during "su - usera -c command"
Good luck
Rob
-----Original Message-----
From: Jason C. Leach [mailto:jleach@ocis.net]
Sent: Tuesday, June 24, 2003 10:04 PM
To: openldap-software@OpenLDAP.org
Subject: managing workstation access.
hi,
Does anyone have some good ideas on how to manage workstation access with
LDAP. For example, if I add a user to the LDAP DB they get access (an
account) on all workstations A, B and C. But suppose I dont' want them to
have access to workstation C? Can I limit that some how?
Thanks,
j.
--
......................
..... Jason C. Leach
..
Current PGP/GPG Key ID: 43AD2024