Mladen Sekara wrote: > Just out of curiosity, is there a way to have host,group,users defined > in ldap, so each host uses the same base dn, but depending on host/group > in ldap, only groups that are assign to that host will be available? I have defined a custom schema and a bunch of set-based OpenLDAP ACLs which allow server groups to read only the user, group and sudoers entries they are allowed to see. The "side effect" is that users are only authorized to login to servers of certain server groups. That works pretty well, is quite flexible and more secure. But be warned that set-based ACLs are slow. And yes, it requires that all hosts are authenticated to the OpenLDAP server. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature