<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2769" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=256141116-09122005><FONT face=Arial
color=#0000ff size=2>Thank you very much!! I briefly looked over the
websites and it looks like what I need. I knew there was a solution, but I
didn't know what it was called. I'll try it out and let you know how it
goes.</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] <B>On Behalf Of </B>Tay,
Gary<BR><B>Sent:</B> Thursday, December 08, 2005 5:37 AM<BR><B>To:</B> General
discussion list for the Fedora Directory server project.<BR><B>Subject:</B> RE:
[Fedora-directory-users] Host Access Based on Group
Membership<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=966345709-08122005><FONT color=#0000ff><FONT face=Arial
size=2>FDS is very similar to SUN ONE DS5.2, I think netgroup (</FONT><A
href="mailto:+@netgroup"><FONT face=Arial size=2><A
href="mailto:+@netgroupXXX">+@netgroup</FONT></A><FONT face=Arial size=2>XXX</A>
in /etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf) LDAP
maps could be setup to achieve what you want, it has been used by many DS5.2
administrators</FONT></FONT></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff
size=2>See:</FONT></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff size=2><A
href="http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenLDAP%20for%20RedHat%20Enterprise%20Linux3.htm">http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20OpenLDAP%20for%20RedHat%20Enterprise%20Linux3.htm</A></FONT></SPAN></DIV>
<DIV><!--StartFragment --><SPAN class=966345709-08122005><FONT face=Arial
size=2>Step 5Y: Configure “netgroup” to work with RedHat or Solaris Native LDAP
Clients</FONT></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><SPAN
style="FONT-SIZE: 14pt; COLOR: blue"><FONT face=Arial size=2>(i.e. controlling
user access to host using netgroup LDAP maps)</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff size=2>Also
see:</FONT></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff size=2><A
href="http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846#223846">http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846#223846</A></FONT></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><!--StartFragment --><FONT face=Arial
size=2>Configuring LDAP netgroups </FONT></SPAN></DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=966345709-08122005><FONT face=Arial color=#0000ff
size=2>Gary</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left><FONT
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
fedora-directory-users-bounces@redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] <B>On Behalf Of </B>Jason
Hane<BR><B>Sent:</B> Thursday, December 08, 2005 3:51 AM<BR><B>To:</B>
fedora-directory-users@redhat.com<BR><B>Subject:</B> [Fedora-directory-users]
Host Access Based on Group Membership<BR><BR></FONT></DIV>
<DIV><SPAN class=392084319-07122005><FONT face=Arial color=#0000ff size=2>I've
been searching everywhere for the past week and haven't found a
solution. I would like to be able to assign access to servers based upon
membership to a group or role. For example, if I create a group/role
called "Web Servers", everyone in that group can access all the web
servers. Everyone in the group/role "Database Servers" would be allowed
to log into the database servers. Users can be part of multiple
groups.</FONT></SPAN></DIV>
<DIV><SPAN class=392084319-07122005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=392084319-07122005><FONT face=Arial color=#0000ff
size=2>There has to be a way to do this already. All the clients are
running OpenLDAP and can already authenticate to the Directory Server.
To implement this solution, would I have to change ldap.conf or
system-auth?</FONT></SPAN></DIV>
<DIV><SPAN class=392084319-07122005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=392084319-07122005><FONT face=Arial color=#0000ff
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=392084319-07122005><FONT face=Arial color=#0000ff
size=2>Jason</FONT></SPAN></DIV></BLOCKQUOTE></BODY></HTML>