Sorry to jump in the middle of this thread, but the nssov overlay sounds very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
Thanks, John
-----Original Message----- From: openldap-technical- bounces+john.kane=prodeasystems.com@OpenLDAP.org [mailto:openldap- technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org] On Behalf Of Howard Chu Sent: Tuesday, May 19, 2009 8:19 PM To: Gavin Henry Cc: Per Kristiansen; openldap-technical@openldap.org Subject: Re: Host based authentication using OpenLDAP
Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the
last
8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.