[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host based authentication using OpenLDAP



John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to
find any documentation on it. How long has this been available (what release),
and where might I find more info?

It has not been released yet. You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:

http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/

The README and slapo-nssov.5 manpage will give you a better idea of what it does.

Thanks,
John


-----Original Message-----
From: openldap-technical-
bounces+john.kane=prodeasystems.com@OpenLDAP.org [mailto:openldap-
technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org] On Behalf
Of Howard Chu
Sent: Tuesday, May 19, 2009 8:19 PM
To: Gavin Henry
Cc: Per Kristiansen; openldap-technical@openldap.org
Subject: Re: Host based authentication using OpenLDAP

Gavin Henry wrote:

----- "Per Kristiansen"<perk@funcom.com>   wrote:

Hello, I've been working on implementing a LDAP solution for the
last
8
months (in-between task, you know how it is :D )

Time flies!

I now have a working LDAP directory, have all my users imported,
things
actually work! :D..(jinx!)

Excellent work, well done!

But now I wanna get fancy..

I've been googeling for some sort of clear description on how I can
set
up a system using groups of hosts and user groups to create a
selective
ACL for ssh'ing to a set of servers based on group membership.


It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?

ACLs for nss_ldap is not the way to handle this. It needs to be done in
the
PAM account management handlers, and pam_ldap's support for that is
pretty
weak. In particular, it doesn't support centrally configuring access to
services on groups of hosts. The PAM support in nssov is a lot better
in this
area and can do what the original poster wants; I just haven't written
an
example ACL for this feature in the docs yet.

--
    -- Howard Chu
    CTO, Symas Corp.           http://www.symas.com
    Director, Highland Sun     http://highlandsun.com/hyc/
    Chief Architect, OpenLDAP  http://www.openldap.org/project/



This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/