Sorry to jump in the middle of this thread, but the nssov overlay sounds very useful,
something I would like to take advantage of, but I cannot seem to find any documentation
on it. How long has this been available (what release), and where might I find more
technical-bounces+john.kane=prodeasystems.com(a)OpenLDAP.org] On Behalf
Of Howard Chu
Sent: Tuesday, May 19, 2009 8:19 PM
To: Gavin Henry
Cc: Per Kristiansen; openldap-technical(a)openldap.org
Subject: Re: Host based authentication using OpenLDAP
Gavin Henry wrote:
> ----- "Per Kristiansen"<perk(a)funcom.com> wrote:
>> Hello, I've been working on implementing a LDAP solution for the
>> months (in-between task, you know how it is :D )
> Time flies!
>> I now have a working LDAP directory, have all my users imported,
>> actually work! :D..(jinx!)
> Excellent work, well done!
>> But now I wanna get fancy..
>> I've been googeling for some sort of clear description on how I can
>> up a system using groups of hosts and user groups to create a
>> ACL for ssh'ing to a set of servers based on group membership.
> It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
> and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in
PAM account management handlers, and pam_ldap's support for that is
weak. In particular, it doesn't support centrally configuring access to
services on groups of hosts. The PAM support in nssov is a lot better
area and can do what the original poster wants; I just haven't written
example ACL for this feature in the docs yet.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.