[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie question about host base authentication



Hi Dan,

that trick would work in particular cases, but not sure
that it would scale in a large number of lively machines
environnement : suppose you want to change ACL for a
particular server without changing its name ?

Intutively, I would rather opt for host group management
(posix or group of) within ldap ?

Still, issue of which container remains.

---
Olivier

2012/10/29 Dan White <dwhite@olp.net>:
> On 10/29/12 09:38 -0500, Dan White wrote:
>>
>> On 10/29/12 13:23 +0100, Simone Scremin wrote:
>>>
>>> Hi all,
>>>
>>> I'm in the process of learning the OpenLDAP authentication mechanics.
>>>
>>> I'd need to know what is the best way to configure an host based
>>> authentication system that allow to configure a per-user rule to include
>>> a
>>> group of host to which the user is allowed to login.
>>>
>>> In example:
>>>
>>> user Bob needs to authenticate on systems:
>>>
>>> sys01pra
>>> sys02pre
>>> sys03pra
>>> sys03pre
>>>
>>> some configuration on the LDAP server enable this hostnames for Bob with
>>> a
>>> regular expression like:
>>>
>>> sys0*pr*
>>>
>>> Is it feasable?
>>
>>
>> Assuming that you will be using a PAM module on each host, the answer to
>> that question will depend on which PAM module you choose, and what
>> configuration it supports.
>>
>> If that module supports placing a filter within the PAM configuration,
>> then
>> 'host=sys0*pr*' should work.
>
>
> Or, if you wish to literally store 'sys0*pr*' within your host entry in
> ldap, your filter could be:
>
> host=sys0\*pr\*
>
> --
> Dan White
>