[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users



2010/11/29 Howard Chu <hyc@symas.com>:
> c0re wrote:
>>
>> 2010/11/19 Phuong Marie VUONG<mangocphung@gmail.com>:
>>>
>>> Hello,
>>>
>>> First, im sorry about my English. I share here my experience which worked
>>> for limit acces host/group of host for user...
>>>
>>> In the configuration of ldap client /etc/ldap.conf , i have activate the
>>> host attribute and a filter in nss_base_passwd
>>> pam_check_host_attr yes
>>> nss_base_passwd
>>>
>>> ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)
>>>
>>> In the user entry, add the host attribute
>>> And in the host set, you can put the pattern value correpond of the level
>>> that you want to authorize to connect , for exe :
>>> hostname.domain
>>> or
>>> PatternofHostGroup
>>> or
>>> *
>>>
>>> Hope that can help
>>>
>>>
>>> 2010/11/19 c0re<nr1c0re@gmail.com>
>>>>
>>>> can you give an example of usage pam_check_host_attr?
>>>>
>>>> And how can I use group of hosts and assign user to this group to
>>>> permit access user to this group avoiding enumerating  hosts in users
>>>> dn each time I add new user?
>>>>
>>>> What should I set in "host:"? Hostname of server? How host attr are
>>>> sent to pam_ldap?
>>>>
>>>> 2010/11/18 Aaron Richton<richton@nbcs.rutgers.edu>:
>>>>>
>>>>> On Thu, 18 Nov 2010, c0re wrote:
>>>>>
>>>>>> I mean user user1 can must login only on server1,server2 and server3.
>>>>>> And user2 can login only on server5 and server2.
>>>>>
>>>>> You could probably overload almost anything (dyngroups, OpenLDAP ACLs,
>>>>> search filters, who knows) to accomplish this, but the cleanest way to
>>>>> do
>>>>> this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap
>>>>> because you mentioned "pam_groupdn" which is not an OpenLDAP
>>>>> configuration
>>>>> directive.
>>>>>
>>>
>>>
>>>
>>> --
>>> Milan&Phuong
>>> 06.17.34.09.77
>>> 09.53.57.04.94
>>> http://www.phuong.fr/photos/
>>>
>>>
>>>
>> I moved a bit different way.
>>
>> I used pam_groupdn in ldap.conf and created a group for each server.
>> Now if I add user to ldap, I need to add to groups "memberUid:
>> `userdn`". And user will be able to login to those servers in which
>> groups is user as a member.
>> But if I got 100-200 servers and want to give access to new user to
>> all this servers, I should add user to all groups. Of course it's a
>> waste of time and it's possible to be done via some external
>> shell/perl script, but may be there another way in openldap?
>>
>> pam_check_host_attr do almost same. If I add user - I need to add all
>> hosts to user attr "host:". So it's same work I think.
>>
> Read up on the nssov overlay.
>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>

Can't understand about how to use nssov overlay in my case, but
understood about dynamic groups overlay and it should fit to my needs.

Also I've got freeradius that authenticate users by looking in ldap.
Works good. But can't understand about how to restrict users to login
to some devices. At that moment all users has access to all devices
via radius. Same requests - this must be controlled via openldap.

May be someone uses freeradius and has already made such restritions
and can give me some tips.

Thanks!