Howard Chu wrote:
Howard Chu wrote:
John Kane wrote:
Sorry to jump in the middle of this thread, but the nssov overlay sounds
very useful, something I would like to take advantage of, but I cannot seem to find any documentation on it. How long has this been available (what release), and where might I find more info?
It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but it only had NSS support. The PAM support is currently only in CVS.
You can check out the current code from CVS in contrib/slapd-modules/nssov. You can browse it online here:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: authorizedServiceObject cn: hostX ipHostNumber: 192.168.1.127 authorizedService: sshd authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com attrs=authorizedService val.exact=sshd by group.exact="cn=admins,ou=groups,dc=example,dc=com" write by peername.ip=192.168.2.0%255.255.255.0 read by * search
The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.