Re: Host based authentication using OpenLDAP
Gavin Henry wrote:
----- "Per Kristiansen"<perk(a)funcom.com> wrote:
> Hello, I've been working on implementing a LDAP solution for the last
> 8
> months (in-between task, you know how it is :D )
Time flies!
> I now have a working LDAP directory, have all my users imported,
> things
> actually work! :D..(jinx!)
Excellent work, well done!
> But now I wanna get fancy..
>
> I've been googeling for some sort of clear description on how I can
> set
> up a system using groups of hosts and user groups to create a
> selective
> ACL for ssh'ing to a set of servers based on group membership.
>
It sounds to me like you are almost here and just need help creating the LDAP groups,
ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the
PAM account management handlers, and pam_ldap's support for that is pretty
weak. In particular, it doesn't support centrally configuring access to
services on groups of hosts. The PAM support in nssov is a lot better in this
area and can do what the original poster wants; I just haven't written an
example ACL for this feature in the docs yet.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/