RE: Host based authentication using OpenLDAP

-----Original Message----- From: openldap-technical- bounces+john.kane=prodeasystems.com(a)OpenLDAP.org [mailto:openldap- technical-bounces+john.kane=prodeasystems.com(a)OpenLDAP.org] On Behalf Of Howard Chu Sent: Tuesday, May 19, 2009 8:19 PM To: Gavin Henry Cc: Per Kristiansen; openldap-technical(a)openldap.org Subject: Re: Host based authentication using OpenLDAP Gavin Henry wrote: > > ----- "Per Kristiansen"<perk(a)funcom.com> wrote: > >> Hello, I've been working on implementing a LDAP solution for the last >> 8 >> months (in-between task, you know how it is :D ) > > Time flies! > >> I now have a working LDAP directory, have all my users imported, >> things >> actually work! :D..(jinx!) > > Excellent work, well done! > >> But now I wanna get fancy.. >> >> I've been googeling for some sort of clear description on how I can >> set >> up a system using groups of hosts and user groups to create a >> selective >> ACL for ssh'ing to a set of servers based on group membership. >> > > It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs > and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos? ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/