19 Feb
2020
19 Feb
'20
10:38 a.m.
On 2/19/20 7:05 PM, Dave Macias wrote:
If trying to access via ssh you can add to sshd_config file
# you gonna want root group.... AllowGroups root blabla bla2 bla3
Yes, that's one of the client-side solutions for limiting SSH access. But you have to configure all the clients. With a decent config management that's not that hard anymore. Still you have to model the access control scheme in your config management.
Still it's much nicer to just modify LDAP entries to make an access control change without having to reconfigure the Linux client systems.
Ciao, Michael.
On Wed, Feb 19, 2020 at 1:01 PM Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com> wrote:
On 2/19/20 9:55 AM, Клеусов Владимир Сергеевич wrote: > I connected ldap linux clients to the OpenLDAP server. > I need to make a certain group of users able to connect to certain > computers. How do I do this ? With most LDAP posix user management deployments you have to configure the Linux clients to query only certain user groups or configure other PAM access control or similar. My Æ-DIR (based on OpenLDAP) provides views to the Linux clients based on hosts' service group membership and the user groups referenced: https://www.ae-dir.com/docs.html#er-roles So no need to configure the clients (except bind-DN and host password). If you have many clients consider using aehostd for better search performance / less load (see https://ae-dir.com/aehostd.html). Ciao, Michael.