[Fedora-directory-users] Server-Side ACLs for pam_ldap logins.

Tue Jan 3 21:45:59 UTC 2006

I suppose I could put something together.. are you talking about 
something from the ground up like setting up nss_ldap, adding entries 
into LDAP, etc. or assume some of the prerequisites are in place? Also 
I'm assuming some short example usages of the tools I've mentioned?

Dan-

Jason Hane wrote:

>I second that.  Dan if you can provide any resources you used to set up
>your netgroups I would hail at your feet.  I've been playing with
>netgroups unsuccessfully for the past month and a half and haven't been
>able to get it to work.  All my clients are RedHat ES 3&4.
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
>Megginson
>Sent: Tuesday, January 03, 2006 4:06 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
>logins.
>
>This looks very interesting and useful.  Would you mind writing up
>something I can post on the Fedora DS wiki?  Don't worry about
>formatting, spelling, etc.  I can fix that up.
>
>Dan Cox wrote:
>
>  
>
>>As an alternative, I've used the ldap/netgroup integration for many 
>>years and it seems the cleanest way of doing it when used in 
>>conjunction with pam's access.conf. It allows me to push the same 
>>/etc/passwd and /etc/security/access.conf to all machines on the 
>>network via something like CFEngine.
>>
>>The access.conf consists of something like (allow all QA users access 
>>to QA systems):
>>+ : @QA@@QAServers : ALL
>>
>>Then I just add or remove the user or machine in the ldap netgroup 
>>entry. The real power with using ldap based netgroups is when you 
>>realize all of the services that can consume netgroup information, 
>>unlike the simple user based host attribute. For example, you can push
>>    
>>
>
>  
>
>>a global /etc/sudoers and specify certain groups of users can run 
>>certain commands on particular groups of machines all on one line.
>>CFEngine itself can query netgroups to know what config files to push,
>>    
>>
>
>  
>
>>tools like dsh (distributed ssh) can use netgroups as machine targets 
>>for commands, etc. I've administered some very large networks of 
>>machines with these tools and it makes it very easy to control.
>>
>>Dan-
>>
>>Jason Hane wrote:
>>
>>    
>>
>>>I had a similar question a few weeks ago.  I wanted to be able to 
>>>assign a list of users access to only a specific number of computers.
>>>      
>>>
>
>  
>
>>>This is the response I got from Gary Tay:
>>>
>>>FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX
>>>      
>>>
>
>  
>
>>>in /etc/passwd and /etc/shadow and "compat" keyword in 
>>>/etc/nsswitch.conf) LDAP maps could be setup to achieve what you 
>>>want, it has been used by many DS5.2 administrators
>>>
>>>See:
>>>http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O
>>>pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
>>>Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native 
>>>LDAP Clients (i.e. controlling user access to host using netgroup 
>>>LDAP maps)
>>>
>>>Also see:
>>>http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238
>>>46#
>>>223846
>>>Configuring LDAP netgroups
>>>Gary
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces at redhat.com
>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
>>>Michael Montgomery
>>>Sent: Tuesday, January 03, 2006 1:35 PM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap 
>>>logins.
>>>
>>>Thanks for the response.  I'll read up on this, and see if I can get 
>>>this working.
>>>
>>>On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
>>> 
>>>
>>>      
>>>
>>>>Michael Montgomery wrote:
>>>>
>>>>  
>>>>
>>>>        
>>>>
>>>>>I do agree that this is closer to what I'm looking for, but the 
>>>>>first
>>>>>    
>>>>>          
>>>>>
>>> 
>>>
>>>      
>>>
>>>>>problem I see is that I wanted to allow Groups of people to login 
>>>>>to Groups of servers like:
>>>>>
>>>>>cn=www,ou=Group,dc=example,dc=com  is a group of www servers.
>>>>>cn=Unix,ou=Group,dc=example,dc=com  is a group of Unix users.
>>>>>
>>>>>So basically, on the people in the Unix group, can login to the www
>>>>>          
>>>>>
>
>  
>
>>>>>servers, and so forth.
>>>>>
>>>>>
>>>>>    
>>>>>          
>>>>>
>>>>Right.  The host attribute is per user.  You could set up a Roles 
>>>>for your users, and use Class of Service to automatically add the 
>>>>host attribute to the role members.
>>>>  
>>>>        
>>>>
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>> 
>>>
>>>      
>>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>    
>>
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>