Host based authentication using OpenLDAP

[Per Kristiansen <perk@funcom.com>]

Hello, I've been working on implementing a LDAP solution for the last 8
months (in-between task, you know how it is :D )

I now have a working LDAP directory, have all my users imported, things
actually work! :D..(jinx!)

But now I wanna get fancy..

I've been googeling for some sort of clear description on how I can set
up a system using groups of hosts and user groups to create a selective
ACL for ssh'ing to a set of servers based on group membership.

One of my primary goals is to have it work as much "out of the box" as
possible for RHEL4 and 5 (and CentOS )

That means I want to avoid having to make changes to hosts (I have
around 60-80 linux servers today that I want over on LDAP)
So I try to avoid the solutions involving /etc/security/*

I have it working with the ldapns schema with no changes to PAM.

But this means I have to enter the specific host into each user record.

But I'm a contrary and difficult guy, and love making problems for my
self so I want to assign groups of users to groups of servers.

Oh..and SSH keys :D..but that is for when life looks sunny and I need to
be reminded that the world is a bad place.

is there anyone that can point me towards resources that are written on
this?..I already have a list of links I've been reading, and are adding
those here in case other people want to look at them:

https://help.ubuntu.com/community/LDAPClientAuthentication
http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf
http://www.padl.com/OSS/nss_ldap.html
http://www.padl.com/OSS/pam_ldap.html
http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth.html

Thanks for taking the time to read this :)

-- 
Per