[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict host login based on group

To: Shamika Joshi <shamika.joshi@gmail.com>, openldap-technical <openldap-technical@openldap.org>
Subject: Re: restrict host login based on group
From: Adam Hough <adam@gradientzero.com>
Date: Thu, 10 Dec 2009 16:48:55 -0600
In-reply-to: <30f711300912090201v6aabb493wa2e486901ee98190@mail.gmail.com>
References: <680cbe0e0912030306ma6de99eh45be3181a9555ada@mail.gmail.com> <1259857254.2878.4.camel@localhost> <30f711300912040007p44894a5ema803c9a46a7ae806@mail.gmail.com> <30f711300912070456h35a95ad8y2974977fe35ffb74@mail.gmail.com> <BLU143-W1320113F6D6E8942A657D4A5900@phx.gbl> <4B1D8771.3000105@symas.com> <30f711300912080013o354de789w93e37912ce476d57@mail.gmail.com> <4B1ED5D1.2080502@symas.com> <c67630fc0912081934r488694d7vfdfdd4506dc8e31d@mail.gmail.com> <30f711300912090201v6aabb493wa2e486901ee98190@mail.gmail.com>

There are other ways to populate the pam_groupdn that you have associated with each machine but those all correspond to some attribute in the user's profile.

I have pam_groupdn setup like this

/etc/ldap.conf:
pam_groupdn cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
pam_member_attribute member

cn=<GROUP_NAME>,ou=Systems,dc=domain,dc=com
cn: <GROUP_NAME>
objectClass: top
objectClass: groupOfNames
objectClass: labeledURIObject
member: uid=nobody,ou=People, dc=domain,dc=com
labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(host=<type of system>)
labeledURI: ldap:///ou=People,dc=domain,dc=com??one?(gidNumber=XXXX)

So as you can see you can have as many labeledURI attributes as you want or need. I tend to use the host name function of what the host does.

This is how my account profile would look:
uid=<MYUSERID>,ou=People,dc=domain,dc=com
host: "cluster"
host: sysadmin

So "cluster" is a compute cluster that we have and thus for all those machines the pam_groupdn cn="cluster",ou=Systems,dc=domain,dc=com, and for machines where only the sysadmins login to then pam_groupdn cn=sysadmin,ou=Systems,dc=domain,dc=com.

As long as you can for a labeledURI: ldap:///ou=People,dc=domain,dc=com??one?<attribute>=<value>) type search you can use it to auto populate the group.

Summary:
* Do to not think of the host attribute as host = hostname but as host = type of machine and that you can have more then one labeledURI per group to help populate the group.
* Use good gidNumbers for groups to help auto populate groupOfName style groups.

- Adam

On Wed, Dec 9, 2009 at 4:01 AM, Shamika Joshi <shamika.joshi@gmail.com> wrote:

Hi Adam,
I'm able to get host auth working by using host attribute.But the drawback of that is everytime there a new machine, I have to add that host to all the users I want to grant access to. If I decide to do it based on group membership, I can use pam_groupdn but then it does not allow multiple group entries there, plus it has to be managed on client side,which is even more undesirable by any administrator.

I went through this article but I'm not sure if it will work if I have some members already associated with some groups. Like ldap1 & ldap2 members of qagroup & ldap3 & ldap4 members of sysadmin, would this method allow me to limit access based on their group membership?? if yes...could you briefly explain with an example?

Thank for your time in advance
Shamika

On Wed, Dec 9, 2009 at 9:04 AM, Adam Hough <adam@gradientzero.com> wrote:

Here is is the write up that I read to figure out how to do setup to auto-restrict users to certain hosts.

http://www.hurricanelabs.com/september2009_login_security_using_openldap_and_pam

On Tue, Dec 8, 2009 at 4:40 PM, Howard Chu <hyc@symas.com> wrote:

Shamika Joshi wrote:

Thanks Howard,
Could you point me to some good documentation or HowTos on that?

Search the archives. I posted an example in here a few months ago.
http://www.openldap.org/lists/openldap-technical/200905/msg00108.html

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>

References:
- restrict host login based on group
  - From: Serge Fonville <serge.fonville@gmail.com>
- Re: restrict host login based on group
  - From: Adam Hough <adam@gradientzero.com>
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>
- RE: restrict host login based on group
  - From: Joe Friedeggs <friedeggs44@hotmail.com>
- Re: restrict host login based on group
  - From: Howard Chu <hyc@symas.com>
- Re: restrict host login based on group
  - From: Shamika Joshi <shamika.joshi@gmail.com>
- Re: restrict host login based on group
  - From: Howard Chu <hyc@symas.com>
- Re: restrict host login based on group
  - From: Adam Hough <adam@gradientzero.com>

Prev by Date: Re: syncrepl broke, connection loss
Next by Date: Re: restrict host login based on group
Index(es):
- Chronological
- Thread