Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the last 8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.