<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2912" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>I'm wondering - can
I use something like netgroups in the LDAP host-based ("host" attribute) for
access restriction? I have over 1000 servers and there is no way I can list
every combination of user/host explicity.</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>I have looked at
pam_access with LDAP netgroups, which is great but there is one crucial problem
- if a user needs temporary access for example to a certain machine and this
falls outside of my netgroup definitions then there seems to be no way to allow
specific access using pam_access and /etc/security/access.conf, without having
to push out over 1000 new copies of this file. I need to be able to grant
special access like this on the LDAP server. The only thing I can think of is
this in access.conf:</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>+ @special@@special
: ALL</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>where the "special"
netgroup contains nisnetgroup triples like</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2>(user,machine,)</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>Normally, you don't
use both fields in a netgroup triple but this works fine in access.conf because
PAM uses the user part when the netgroup is used in the user position of the
</FONT><A href="mailto:user@host"><FONT face=Arial color=#000000
size=2>user@host</FONT></A><FONT face=Arial size=2> </FONT></SPAN><SPAN
class=296351717-13072006><FONT face=Arial size=2>field and uses the machine part
when the netgroup is in the "host" position. I thought this was really nice
until I realised that this means that if the "special" netgroup contains several
entries like:</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2>(user1,machine1)</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2>(user2,machine2)</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>Then user2 also gets
access to machine1 and user1 gets access to machine 2 because PAM doesn't
understand that these netgroup entries are supposed to be kept together - it
just parses the user and machine parts completely
seperately.</FONT></SPAN></DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=296351717-13072006><FONT face=Arial size=2>I just need to have
one entry in access.conf that will cover special-case creation on the LDAP
server but it doesn't seem to be possible, hence I am now looking at the
LDAP-based host access thing.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>--</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>Philip Kime</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>NOPS Systems Architect</FONT></DIV>
<DIV align=left><FONT face=Arial size=2>310 401 0407</FONT></DIV>
<DIV> </DIV></BODY></HTML>