Howard Chu wrote:
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
Ahh..how far would you say this is from being mature enough to run in an production environment ?
I've just read the README and finished uncurling from my fetus like position afterwards (thanks for helping me keeping Alzheimer's at bay btw :) ) and yes this sounds very much like what I want.
right now I'm writing a few scripts to create the ACL's using the existing setup. Not NEARLY as smooth as want I want but at least it will allow me to roll out LDAP for authentication now.
The goal here is to have ONE place where we set these things, and of course to give me more time to think about stuff instead of actually doing stuff :).
I will be trying to set up nssov on my test farm over the weekend, so I might just possibly be whining here later for some help :)