[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: using ldap ssh, proftpd and apache.

To: "'Ottavio Campana'" <ottavio@campana.vi.it>, <openldap-software@OpenLDAP.org>
Subject: RE: using ldap ssh, proftpd and apache.
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 22 Feb 2004 04:11:14 -0800
Importance: Normal
In-reply-to: <20040222102042.GA5006@campana.vi.it>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ottavio Campana

> I've used a lot ldap with samba to create multiple pdc.
>
> Now I want to use ldap for all my services.
>
> Let's suppose you've got a server with ssh, apache, proftpd,
> postfix, an
> imap  server,  a  webmail  and  squid. Every  user  will
> have  got  the
> possibility of using  the mailservices, I've read  the
> documentation for
> it and I know how to do it.
>
> But I don't want  that every user of the mailservices  can
> even use ssh,
> ftp and so on. So I'd like to know if there's a way to store
> in ldap the
> information about the  possibility of logging in with  ssh,
> upload files
> with proftpd,  use the proxy, accessing  parte of the
> websites  using an
> autetication system with apache.
>
> The  documentation of  proftpd says  that it  can connect
> with an  ldap
> server  but  I cannot  find  a  way to  limit  the  access to
>  the  only
> autorizated users.
>
> For squid, ssh and apache I don't have got any idea.
>
> The  only  possible  solution  I've  found  is that  if  I
> use  pam  to
> autenticate  my  users  I  just  can put  something  like
> this  in  the
> configuration files:
>
> auth required pam_ldap.so filter=(uid=*a*)
>
> So I could add some fields  to my users like UserCanLogin,
> UserCanDoFtp,
> UserCanUseProxy and then filter them upon their values. But
> in this case
> I still  have got a trouble:  should I write a  schema on my
> own  to get
> these entries  or does anyone of  you know if there's
> something already
> done?

Symas' Unix LDAP gateway has attributes for Login/FTP privilege but in
general this is something that each application defines on its own. Apache
has a variety of authorization engines; ssh has its own authorization
mechanism as well. Whether they can pull their authorization data out of LDAP
is somewhat of an open question; last I checked sshd only uses local config
files.

This question has nothing specific to do with OpenLDAP software. I don't
think it really belongs on the ldap@umich.edu list either, more appropriately
it should be raised on support forums for each of the software packages you
intend to use.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- using ldap ssh, proftpd and apache.
  - From: Ottavio Campana <ottavio@campana.vi.it>

Prev by Date: Re: using ldap ssh, proftpd and apache.
Next by Date: Re: Library version naming confusion
Index(es):
- Chronological
- Thread