[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users



2010/11/19 Phuong Marie VUONG <mangocphung@gmail.com>:
> Hello,
>
> First, im sorry about my English. I share here my experience which worked
> for limit acces host/group of host for user...
>
> In the configuration of ldap client /etc/ldap.conf , i have activate the
> host attribute and a filter in nss_base_passwd
> pam_check_host_attr yes
> nss_base_passwd
> ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)
>
> In the user entry, add the host attribute
> And in the host set, you can put the pattern value correpond of the level
> that you want to authorize to connect , for exe :
> hostname.domain
> or
> PatternofHostGroup
> or
> *
>
> Hope that can help
>
>
> 2010/11/19 c0re <nr1c0re@gmail.com>
>>
>> can you give an example of usage pam_check_host_attr?
>>
>> And how can I use group of hosts and assign user to this group to
>> permit access user to this group avoiding enumerating  hosts in users
>> dn each time I add new user?
>>
>> What should I set in "host:"? Hostname of server? How host attr are
>> sent to pam_ldap?
>>
>> 2010/11/18 Aaron Richton <richton@nbcs.rutgers.edu>:
>> > On Thu, 18 Nov 2010, c0re wrote:
>> >
>> >> I mean user user1 can must login only on server1,server2 and server3.
>> >> And user2 can login only on server5 and server2.
>> >
>> > You could probably overload almost anything (dyngroups, OpenLDAP ACLs,
>> > search filters, who knows) to accomplish this, but the cleanest way to
>> > do
>> > this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap
>> > because you mentioned "pam_groupdn" which is not an OpenLDAP
>> > configuration
>> > directive.
>> >
>
>
>
> --
> Milan&Phuong
> 06.17.34.09.77
> 09.53.57.04.94
> http://www.phuong.fr/photos/
>
>
>
I moved a bit different way.

I used pam_groupdn in ldap.conf and created a group for each server.
Now if I add user to ldap, I need to add to groups "memberUid:
`userdn`". And user will be able to login to those servers in which
groups is user as a member.
But if I got 100-200 servers and want to give access to new user to
all this servers, I should add user to all groups. Of course it's a
waste of time and it's possible to be done via some external
shell/perl script, but may be there another way in openldap?

pam_check_host_attr do almost same. If I add user - I need to add all
hosts to user attr "host:". So it's same work I think.