[Fedora-directory-users] Server-Side ACLs for pam_ldap logins.
Dan Cox
dan at wep.net
Tue Jan 3 20:54:42 UTC 2006
As an alternative, I've used the ldap/netgroup integration for many
years and it seems the cleanest way of doing it when used in conjunction
with pam's access.conf. It allows me to push the same /etc/passwd and
/etc/security/access.conf to all machines on the network via something
like CFEngine.
The access.conf consists of something like (allow all QA users access to
QA systems):
+ : @QA@@QAServers : ALL
Then I just add or remove the user or machine in the ldap netgroup
entry. The real power with using ldap based netgroups is when you
realize all of the services that can consume netgroup information,
unlike the simple user based host attribute. For example, you can push a
global /etc/sudoers and specify certain groups of users can run certain
commands on particular groups of machines all on one line. CFEngine
itself can query netgroups to know what config files to push, tools like
dsh (distributed ssh) can use netgroups as machine targets for commands,
etc. I've administered some very large networks of machines with these
tools and it makes it very easy to control.
Dan-
Jason Hane wrote:
>I had a similar question a few weeks ago. I wanted to be able to assign
>a list of users access to only a specific number of computers. This is
>the response I got from Gary Tay:
>
>FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX in
>/etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf)
>LDAP maps could be setup to achieve what you want, it has been used by
>many DS5.2 administrators
>
>See:
>http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open
>LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
>Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP
>Clients
>(i.e. controlling user access to host using netgroup LDAP maps)
>
>Also see:
>http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846#
>223846
>Configuring LDAP netgroups
>
>Gary
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael
>Montgomery
>Sent: Tuesday, January 03, 2006 1:35 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
>logins.
>
>Thanks for the response. I'll read up on this, and see if I can get
>this working.
>
>On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
>
>
>>Michael Montgomery wrote:
>>
>>
>>
>>>I do agree that this is closer to what I'm looking for, but the first
>>>
>>>
>
>
>
>>>problem I see is that I wanted to allow Groups of people to login to
>>>Groups of servers like:
>>>
>>>cn=www,ou=Group,dc=example,dc=com is a group of www servers.
>>>cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users.
>>>
>>>So basically, on the people in the Unix group, can login to the www
>>>servers, and so forth.
>>>
>>>
>>>
>>>
>>Right. The host attribute is per user. You could set up a Roles for
>>your users, and use Class of Service to automatically add the host
>>attribute to the role members.
>>
>>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the Fedora-directory-users
mailing list