----- "Howard Chu" hyc@symas.com wrote:
Gavin Henry wrote:
----- "Per Kristiansen"perk@funcom.com wrote:
Hello, I've been working on implementing a LDAP solution for the
last
8 months (in-between task, you know how it is :D )
Time flies!
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
Excellent work, well done!
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I
can
set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
It sounds to me like you are almost here and just need help creating
the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and
Centos?
ACLs for nss_ldap is not the way to handle this. It needs to be done in the PAM account management handlers, and pam_ldap's support for that is pretty weak. In particular, it doesn't support centrally configuring access to services on groups of hosts. The PAM support in nssov is a lot better in this area and can do what the original poster wants; I just haven't written an example ACL for this feature in the docs yet.
OK. My line of thinking was to create dynamic service and host groups and create simple group ACLs for that. These groups would go in the nss config on specific hosts using something like puppet to manage the 60-80 hosts.
I've not looked at nssov so couldn't comment, other than doing the start of man page for you Howard.
Thanks.