Re: Host based authentication using OpenLDAP
Howard Chu wrote:
Howard Chu wrote:
> John Kane wrote:
>> Sorry to jump in the middle of this thread, but the nssov overlay sounds
> very useful, something I would like to take advantage of, but I cannot seem to
> find any documentation on it. How long has this been available (what release),
> and where might I find more info?
>
> It has not been released yet.
Just to clarify: the nssov overlay was first released in OpenLDAP 2.4.11, but
it only had NSS support. The PAM support is currently only in CVS.
> You can check out the current code from CVS in
> contrib/slapd-modules/nssov. You can browse it online here:
>
> http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/
>
> The README and slapo-nssov.5 manpage will give you a better idea of what it does.
And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com
objectClass: ipHost
objectClass: authorizedServiceObject
cn: hostX
ipHostNumber: 192.168.1.127
authorizedService: sshd
authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are
available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com
attrs=authorizedService val.exact=sshd
by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
by peername.ip=192.168.2.0%255.255.255.0 read
by * search
The overlay performs a Compare operation to check for the required service, so
if you deny Compare access to a particular service, then users aren't allowed
to use that service.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/