[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host based authentication using OpenLDAP



> And fyi, here's an example... For a given host:
> 
> dn: cn=hostX,ou=hosts,dc=example,dc=com
> objectClass: ipHost
> objectClass: authorizedServiceObject
> cn: hostX
> ipHostNumber: 192.168.1.127
> authorizedService: sshd
> authorizedService: ftp
> 
> you use the authorizedService attribute to list the PAM services that
> are 
> available. Then you set ACLs to control who can access each service,
> like so:
> 
> access to dn.subtree=ou=hosts,dc=example,dc=com
>    attrs=authorizedService val.exact=sshd
>    by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
>    by peername.ip=192.168.2.0%255.255.255.0 read
>    by * search
> 
> The overlay performs a Compare operation to check for the required
> service, so 
> if you deny Compare access to a particular service, then users aren't
> allowed 
> to use that service.

Very nice! We did something like this for a hosting company that had users accounts with the services that
the user was allowed to access and the specific apps had the appropriate filters in the authz/auth searches.

Gavin.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html