Hi gang!
I'm looking for some guidance in what is most probably a very common objective. Which is to manage all authentication to network hosts from slapd. To begin, my goal is to have:
1. one machine (generically-configured LDAP client) running sshd (10.153.107.100) 2. multiple LDAP users 3. specify, from slapd, that only one user (tony) can log in over ssh to the machine
Surprisingly, I have not found much documentation on this stuff beyond the slapo-nssov man page. Anyway, I have some LDIF entries ready to go but I'm feeling very uneasy about dumping them in and hoping for the best. I would rather learn more about how this all works together and hopefully get some pointers/gotchas from others who have done this before. That's why I'm writing this email. In particular, at this point I only want the bare necessities to achieve my simple goad specified above.
My slapd server has the nis and ldapns schemas configured and the client machine has libnss-ldapd (applied to group and passwd services) and libpam-ldapd. All systems are running Ubuntu 11.10. I have manually disabled nslcd on the Ubuntu client machine (sudo update-rc.d nslcd disable).
These are the entries I have so far:
for slapd-config:
# NSSOV dn: olcOverlay=nssov,ocDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcNssOvConfig olcOverlay: nssov olcNssSsd: passwd ldap:///ou=People,dc=example,dc=com??one olcNssSsd: group ldap:///ou=People,dc=example,dc=com??one olcNssSsd: hosts ldap:///ou=People,dc=example,dc=com??one olcNssPam: hostservice uid2dn olcNssPamSession: sshd
# ACL dn: olcDatabase={1}hdb,cn=config olcAccess: to attrs=userPassword by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * none olcAccess: to * by self write by * read olcAccess: to dn.exact=cn=host1.example.com,ou=Hosts,dc=example,dc=com attrs=authorizedservice by dn.exact=cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com compare by * read
==================
The sshd host, user & group entries from my regular hdb-based DIT:
# NSSOV HOST and USER dn: cn=host1.example.com,ou=Hosts,dc=example,dc=com objectClass: device objectClass: top objectClass: ipHost objectClass: authorizedServiceObject cn=host1.example.com ipHostNumber: 10.153.107.100 authorizedService: sshd
dn: cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com objectClass: posixGroup cn: ssh-host1-server_access gidNumber: 6000
dn: uid=tony,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: tony cn: Tony Doe uidNumber: 11000 gidNumber: 6000 userPassword: tonyldap loginShell: /bin/bash homeDirectory: /home/tony
===================
Anyone?
Thanks in advance,
Peter
ptw wrote:
Hi gang!
I'm looking for some guidance in what is most probably a very common objective. Which is to manage all authentication to network hosts from slapd. To begin, my goal is to have:
- one machine (generically-configured LDAP client) running sshd
(10.153.107.100) 2. multiple LDAP users 3. specify, from slapd, that only one user (tony) can log in over ssh to the machine
Surprisingly, I have not found much documentation on this stuff beyond the slapo-nssov man page.
The man page contains everything you need to know. You just need to pay attention to the details.
These are the entries I have so far:
for slapd-config:
# NSSOV dn: olcOverlay=nssov,ocDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcNssOvConfig olcOverlay: nssov olcNssSsd: passwd ldap:///ou=People,dc=example,dc=com??one olcNssSsd: group ldap:///ou=People,dc=example,dc=com??one
ou=People is obviously wrong there.
olcNssSsd: hosts ldap:///ou=People,dc=example,dc=com??one
ou=People is obviously wrong there too.
olcNssPam: hostservice uid2dn olcNssPamSession: sshd
# ACL dn: olcDatabase={1}hdb,cn=config olcAccess: to attrs=userPassword by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * none olcAccess: to * by self write by * read
olcAccess: to dn.exact=cn=host1.example.com,ou=Hosts,dc=example,dc=com attrs=authorizedservice by dn.exact=cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com compare by * read
This ACL will never be seen/used since it comes after access "to *".
==================
The sshd host, user& group entries from my regular hdb-based DIT:
# NSSOV HOST and USER dn: cn=host1.example.com,ou=Hosts,dc=example,dc=com objectClass: device objectClass: top objectClass: ipHost objectClass: authorizedServiceObject cn=host1.example.com ipHostNumber: 10.153.107.100 authorizedService: sshd
dn: cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com objectClass: posixGroup cn: ssh-host1-server_access gidNumber: 6000
dn: uid=tony,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: tony cn: Tony Doe uidNumber: 11000 gidNumber: 6000 userPassword: tonyldap loginShell: /bin/bash homeDirectory: /home/tony
===================
Anyone?
Thanks in advance,
Peter
openldap-technical@openldap.org
-
Howard Chu -
ptw