[Fedora-directory-users] Server-Side ACLs for pam_ldap logins.
Richard Megginson
rmeggins at redhat.com
Tue Jan 3 22:00:52 UTC 2006
Dan Cox wrote:
> I suppose I could put something together.. are you talking about
> something from the ground up like setting up nss_ldap, adding entries
> into LDAP, etc. or assume some of the prerequisites are in place?
If there is already sufficient documentation on setting up nss_ldap or
other prerequisites, then just a pointer to that will be fine.
> Also I'm assuming some short example usages of the tools I've mentioned?
Sure. At least on group based host access restriction, which seems to
be the most asked for info.
>
> Dan-
>
> Jason Hane wrote:
>
>> I second that. Dan if you can provide any resources you used to set up
>> your netgroups I would hail at your feet. I've been playing with
>> netgroups unsuccessfully for the past month and a half and haven't been
>> able to get it to work. All my clients are RedHat ES 3&4.
>>
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
>> Megginson
>> Sent: Tuesday, January 03, 2006 4:06 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
>> logins.
>>
>> This looks very interesting and useful. Would you mind writing up
>> something I can post on the Fedora DS wiki? Don't worry about
>> formatting, spelling, etc. I can fix that up.
>>
>> Dan Cox wrote:
>>
>>
>>
>>> As an alternative, I've used the ldap/netgroup integration for many
>>> years and it seems the cleanest way of doing it when used in
>>> conjunction with pam's access.conf. It allows me to push the same
>>> /etc/passwd and /etc/security/access.conf to all machines on the
>>> network via something like CFEngine.
>>>
>>> The access.conf consists of something like (allow all QA users
>>> access to QA systems):
>>> + : @QA@@QAServers : ALL
>>>
>>> Then I just add or remove the user or machine in the ldap netgroup
>>> entry. The real power with using ldap based netgroups is when you
>>> realize all of the services that can consume netgroup information,
>>> unlike the simple user based host attribute. For example, you can push
>>>
>>
>>
>>
>>
>>> a global /etc/sudoers and specify certain groups of users can run
>>> certain commands on particular groups of machines all on one line.
>>> CFEngine itself can query netgroups to know what config files to push,
>>>
>>
>>
>>
>>
>>> tools like dsh (distributed ssh) can use netgroups as machine
>>> targets for commands, etc. I've administered some very large
>>> networks of machines with these tools and it makes it very easy to
>>> control.
>>>
>>> Dan-
>>>
>>> Jason Hane wrote:
>>>
>>>
>>>
>>>> I had a similar question a few weeks ago. I wanted to be able to
>>>> assign a list of users access to only a specific number of computers.
>>>>
>>>
>>
>>
>>
>>>> This is the response I got from Gary Tay:
>>>>
>>>> FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX
>>>>
>>>
>>
>>
>>
>>>> in /etc/passwd and /etc/shadow and "compat" keyword in
>>>> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you
>>>> want, it has been used by many DS5.2 administrators
>>>>
>>>> See:
>>>> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O
>>>> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
>>>> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native
>>>> LDAP Clients (i.e. controlling user access to host using netgroup
>>>> LDAP maps)
>>>>
>>>> Also see:
>>>> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238
>>>> 46#
>>>> 223846
>>>> Configuring LDAP netgroups
>>>> Gary
>>>> -----Original Message-----
>>>> From: fedora-directory-users-bounces at redhat.com
>>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
>>>> Michael Montgomery
>>>> Sent: Tuesday, January 03, 2006 1:35 PM
>>>> To: General discussion list for the Fedora Directory server project.
>>>> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
>>>> logins.
>>>>
>>>> Thanks for the response. I'll read up on this, and see if I can
>>>> get this working.
>>>>
>>>> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Michael Montgomery wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> I do agree that this is closer to what I'm looking for, but the
>>>>>> first
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>> problem I see is that I wanted to allow Groups of people to login
>>>>>> to Groups of servers like:
>>>>>>
>>>>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers.
>>>>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users.
>>>>>>
>>>>>> So basically, on the people in the Unix group, can login to the www
>>>>>>
>>>>>
>>
>>
>>
>>>>>> servers, and so forth.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Right. The host attribute is per user. You could set up a Roles
>>>>> for your users, and use Class of Service to automatically add the
>>>>> host attribute to the role members.
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060103/4824612c/attachment.bin>
More information about the Fedora-directory-users
mailing list