[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fw: Fw: host Attribute --- Low Sensitivity/Aerospace Internal Use Only

To: Net Warrior <netwarrior863@gmail.com>, Warron S French <Warron.S.French@aero.org>
Subject: Re: Fw: Fw: host Attribute --- Low Sensitivity/Aerospace Internal Use Only
From: Howard Chu <hyc@symas.com>
Date: Mon, 23 Dec 2013 05:41:06 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <CAP7y58O7dtq5dw8DZ75QEpR9kkL0jV7Rs3vyZhB9uYTWLDetRQ@mail.gmail.com>
References: <OFDE742935.51446345-ON85257C4A.0045DD20-85257C4A.0045ECA8@notes.aero.org> <CAP7y58O7dtq5dw8DZ75QEpR9kkL0jV7Rs3vyZhB9uYTWLDetRQ@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Net Warrior wrote:

Hi French

No tcp_wrapper behaviour, just found that article and I'm trying to
make it work as well, maybe I missundertood what the host attribute
really is for or the article is wrong or I'm doing something wrong, at
least in the logs I can see the pam_check_host is being evaluated.

all of this pam_ldap stuff is obsolete. nssov implements much finer grainedauthorization.


slapd[20810]: conn=5374 op=4 MOD attr=host

Thanks for your time and support.
Regard

2013/12/23, Warron S French <Warron.S.French@aero.org>:

Low Sensitivity/Aerospace Internal Use Only

NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but
implement it through LDAP?




Warron French, MBA, SCSA


----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM
-----

From:   Net Warrior <netwarrior863@gmail.com>
To:     openldap-technical <openldap-technical@openldap.org>,
Date:   12/23/2013 07:36 AM
Subject:        host Attribute
Sent by:        openldap-technical-bounces@OpenLDAP.org



Hi guys.
I'm trying to restric some user to login to some server, googling
around I found that some things can be donde with the host attribute,
this is what I got.

A user with host attribute and and a FQDN server on it
server.comap.com , the pam_check_host_attr set to yes in the client
configuration ( pam_ldap.conf / ldap.conf ), If I understand well the
user can now login to that server, in my tests I can confirm that,
what I notice is that the user can loging to all the other servers in
the farm whaterver I set to  the host attribute

I read this article as a reference:
thornelabs dot net
/documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html

Please, can someone shed some light on this or clarify what I'm trying
to to is correct or wrong?

Thanks for your time and support
Regards



Low Sensitivity/Aerospace Internal Use Only



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Fw: Fw: host Attribute --- Low Sensitivity/Aerospace Internal Use Only
  - From: Net Warrior <netwarrior863@gmail.com>

References:
- Fw: Fw: host Attribute --- Low Sensitivity/Aerospace Internal Use Only
  - From: Warron S French <Warron.S.French@aero.org>
- Re: Fw: Fw: host Attribute --- Low Sensitivity/Aerospace Internal Use Only
  - From: Net Warrior <netwarrior863@gmail.com>

Prev by Date: Re: MDB_PAGE_FULL
Next by Date: Re: MDB_PAGE_FULL
Index(es):
- Chronological
- Thread