[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users



c0re wrote:
2010/11/19 Phuong Marie VUONG<mangocphung@gmail.com>:
Hello,

First, im sorry about my English. I share here my experience which worked
for limit acces host/group of host for user...

In the configuration of ldap client /etc/ldap.conf , i have activate the
host attribute and a filter in nss_base_passwd
pam_check_host_attr yes
nss_base_passwd
ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)

In the user entry, add the host attribute
And in the host set, you can put the pattern value correpond of the level
that you want to authorize to connect , for exe :
hostname.domain
or
PatternofHostGroup
or
*

Hope that can help


2010/11/19 c0re<nr1c0re@gmail.com>

can you give an example of usage pam_check_host_attr?

And how can I use group of hosts and assign user to this group to
permit access user to this group avoiding enumerating  hosts in users
dn each time I add new user?

What should I set in "host:"? Hostname of server? How host attr are
sent to pam_ldap?

2010/11/18 Aaron Richton<richton@nbcs.rutgers.edu>:
On Thu, 18 Nov 2010, c0re wrote:

I mean user user1 can must login only on server1,server2 and server3.
And user2 can login only on server5 and server2.

You could probably overload almost anything (dyngroups, OpenLDAP ACLs,
search filters, who knows) to accomplish this, but the cleanest way to
do
this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap
because you mentioned "pam_groupdn" which is not an OpenLDAP
configuration
directive.




--
Milan&Phuong
06.17.34.09.77
09.53.57.04.94
http://www.phuong.fr/photos/



I moved a bit different way.

I used pam_groupdn in ldap.conf and created a group for each server.
Now if I add user to ldap, I need to add to groups "memberUid:
`userdn`". And user will be able to login to those servers in which
groups is user as a member.
But if I got 100-200 servers and want to give access to new user to
all this servers, I should add user to all groups. Of course it's a
waste of time and it's possible to be done via some external
shell/perl script, but may be there another way in openldap?

pam_check_host_attr do almost same. If I add user - I need to add all
hosts to user attr "host:". So it's same work I think.

Read up on the nssov overlay.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/