John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?It has not been released yet. You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/ The README and slapo-nssov.5 manpage will give you a better idea of what it does.
Thanks, John-----Original Message----- From: openldap-technical- bounces+john.kane=prodeasystems.com@OpenLDAP.org [mailto:openldap- technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org] On Behalf Of Howard Chu Sent: Tuesday, May 19, 2009 8:19 PM To: Gavin Henry Cc: Per Kristiansen; openldap-technical@openldap.org Subject: Re: Host based authentication using OpenLDAP Gavin Henry wrote:----- "Per Kristiansen"<perk@funcom.com> wrote:Hello, I've been working on implementing a LDAP solution for thelast8 months (in-between task, you know how it is :D )Time flies!I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)Excellent work, well done!But now I wanna get fancy.. I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.It sounds to me like you are almost here and just need help creatingthe LDAP groups, ACLsand LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/