And fyi, here's an example... For a given host:
dn: cn=hostX,ou=hosts,dc=example,dc=com objectClass: ipHost objectClass: authorizedServiceObject cn: hostX ipHostNumber: 192.168.1.127 authorizedService: sshd authorizedService: ftp
you use the authorizedService attribute to list the PAM services that are available. Then you set ACLs to control who can access each service, like so:
access to dn.subtree=ou=hosts,dc=example,dc=com attrs=authorizedService val.exact=sshd by group.exact="cn=admins,ou=groups,dc=example,dc=com" write by peername.ip=192.168.2.0%255.255.255.0 read by * search
The overlay performs a Compare operation to check for the required service, so if you deny Compare access to a particular service, then users aren't allowed to use that service.
Very nice! We did something like this for a hosting company that had users accounts with the services that the user was allowed to access and the specific apps had the appropriate filters in the authz/auth searches.
Gavin.