[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting finger lookup access on Linux

To: Rex Roof <rex@wccnet.edu>
Subject: Re: Limiting finger lookup access on Linux
From: Howard Chu <hyc@symas.com>
Date: Tue, 15 Sep 2009 07:41:00 -0700
Cc: "Brett @Google" <brett.maxfield@gmail.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <6067F726-33AE-4609-97CE-2A26C1752E2D@wccnet.edu>
References: <E73FB1AD-AF59-4C15-8D23-02757FA832D1@wccnet.edu> <e021c7c00909121748m5d002027y1058a72c5c007766@mail.gmail.com> <4AAC4821.7090604@symas.com> <6067F726-33AE-4609-97CE-2A26C1752E2D@wccnet.edu>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090909 SeaMonkey/2.0a1pre Firefox/3.0.3

Rex Roof wrote:

Yes, or a configuration for PAM that limits which users it provides
information for.

PAM doesn't return user information at all. This is strictly for nss-ldap. Youcould also add a filter to nss-ldap's config file. Unfortunately the moststraightforward filter (memberOf=<the group DN>) won't work with OpenLDAP'smemberof overlay. If your group was actually a dynamic group, then you coulduse the same filter criteria that the dynamic group uses.

-Rex


On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:

Brett @Google wrote:

On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof<rex@wccnet.edu
<mailto:rex@wccnet.edu>>  wrote:


    I have some linux machines that I have configured for student
    access.  We are authenticating against our OpenLDAP tree and
    limiting which users have access via an LDAP groupOfNames.  This
is
    all working perfectly.

    This is the problem I am having.   Any user with access to the
    system can run the /usr/bin/finger command and do a name search
    against our entire LDAP tree.   I would like to limit the info
    available via finger to just the users that have access to any
    particular machine.   How can this be controlled?


This sounds more like a firewall / iptables issue to your finger
server
than anything else ?


No, doesn't sound like that to me.

Essentially he wants an ACL that grants access to nss-ldap searches
based on
the target entries belonging to a group associated with a particular
peeraddr.
But at the moment, I can't think of any mechanism to do this in the
current
ACL engine.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>

References:
- Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>
- Re: Limiting finger lookup access on Linux
  - From: "Brett @Google" <brett.maxfield@gmail.com>
- Re: Limiting finger lookup access on Linux
  - From: Howard Chu <hyc@symas.com>
- Re: Limiting finger lookup access on Linux
  - From: Rex Roof <rex@wccnet.edu>

Prev by Date: Re: Windwos 2003 Active Directory CentOS 5.3 OpenLDAP Server Sync
Next by Date: Re: Limiting finger lookup access on Linux
Index(es):
- Chronological
- Thread