[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Host based authentication using OpenLDAP

To: Howard Chu <hyc@symas.com>
Subject: Re: Host based authentication using OpenLDAP
From: Gavin Henry <ghenry@suretecsystems.com>
Date: Fri, 22 May 2009 14:59:17 +0100 (BST)
Cc: John Kane <john.kane@prodeasystems.com>, openldap-technical@openldap.org
In-reply-to: <8646464.691243000672501.JavaMail.root@mail>

> And fyi, here's an example... For a given host:
> 
> dn: cn=hostX,ou=hosts,dc=example,dc=com
> objectClass: ipHost
> objectClass: authorizedServiceObject
> cn: hostX
> ipHostNumber: 192.168.1.127
> authorizedService: sshd
> authorizedService: ftp
> 
> you use the authorizedService attribute to list the PAM services that
> are 
> available. Then you set ACLs to control who can access each service,
> like so:
> 
> access to dn.subtree=ou=hosts,dc=example,dc=com
>    attrs=authorizedService val.exact=sshd
>    by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
>    by peername.ip=192.168.2.0%255.255.255.0 read
>    by * search
> 
> The overlay performs a Compare operation to check for the required
> service, so 
> if you deny Compare access to a particular service, then users aren't
> allowed 
> to use that service.

Very nice! We did something like this for a hosting company that had users accounts with the services that
the user was allowed to access and the specific apps had the appropriate filters in the authz/auth searches.

Gavin.

-- 
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/

Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.

Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

Prev by Date: MirrorMode and Failover
Next by Date: Re: freeBSD 7.0 + passwd + openldap
Index(es):
- Chronological
- Thread