[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Howto setup OpenLDAP as ACL for Servers?
On Tuesday 23 June 2009 05:28:31 Olivier Nicole wrote:
> > I have many Windows 2003/Linux Server, and a OpenLDAP server as auth
> > server, I want setup ACL in OpenLDAP server, maybe user A allowed to
> > login in windows-1 server and Linux-1 server, and user B allowed to
> > login in windows-2 server and Linux-2 server.
> > How to setup it in OpenLDAP server?
>
> The question is not how to set-up LDAP, but how to setup your Windows
> and Linux servers.
>
> For example I use in nss_ldap.conf (Unix)
>
> nss_base_passwd
> ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=samba
pam_ldap also supports the 'host' and "authorizedService" attributes, if you
rather want to do per-user per-server authorization. Please see the nss_ldap
documentation regarding the pam_check_host_attr and pam_check_service_attr
options.
(filtering users out at the nss level may be a bit drastic, as file ownerships
might not be resolved correctly etc. Also, since pam configuration can be
changed per-application, it is more flexible)
> And in smb.conf (samba)
I believe Samba supports a similar means to the pam_ldap host attribute,
namely storing the "allowed workstations". This can be modified using the "User
manager for domains" tool from a Windows PC, and I believe this ends up
modifying the sambaMungedDial attribute.
This will only work if you have a samba domain controller, and users log in to
the domain. Further discussion of the samba and windows-specific aspects really
belongs on the samba lists.
Regards,
Buchan