Hi,
I want to restrict login access to some selected client nodes (by default, openldap allows user access to all client nodes). I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required.
On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister whm@stanford.edu wrote:
--On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil < jayavant.patil82@gmail.com> wrote:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. My question is as follows:
How to restrict a user access to some client nodes?
Please, explain in detail.
It is not clear what you want to do. You need to provide more details before you will get the answer that you want.
For example, if you just want to restrict access to the directory from some nodes, why not use iptables.
If you are talking about restricting login access to some linux nodes using PAM, this is probably a better question for a PAM list. Of course, there will be folks on this list that can answer that question as well, but not without knowing what you are storing in your directory.
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University
Hi,
I am just storing the user related information in the directory. e.g. My .ldif file contents are as follows:
dn: uid=ldap_5,ou=People,dc=dc,dc=com uid: ldap_5 cn: ldap_5 sn: ldap_5 mail: ldap_5@dc.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13998 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 513 gidNumber: 513 homeDirectory: /lustre/home/ldap_5
On Mon, Nov 21, 2011 at 12:05 PM, Jayavant Patil <jayavant.patil82@gmail.com
wrote:
Hi,
I want to restrict login access to some selected client nodes (by default, openldap allows user access to all client nodes). I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required.
On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister whm@stanford.eduwrote:
--On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil < jayavant.patil82@gmail.com> wrote:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. My question is as follows:
How to restrict a user access to some client nodes?
Please, explain in detail.
It is not clear what you want to do. You need to provide more details before you will get the answer that you want.
For example, if you just want to restrict access to the directory from some nodes, why not use iptables.
If you are talking about restricting login access to some linux nodes using PAM, this is probably a better question for a PAM list. Of course, there will be folks on this list that can answer that question as well, but not without knowing what you are storing in your directory.
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University
--
Thanks & Regards, Jayavant Ningoji Patil +91 9923536030.
On Monday, 21 November 2011 09:00:23 Jayavant Patil wrote:
Hi,
I am just storing the user related information in the directory. e.g. My .ldif file contents are as follows:
dn: uid=ldap_5,ou=People,dc=dc,dc=com uid: ldap_5 cn: ldap_5 sn: ldap_5 mail: ldap_5@dc.com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13998 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 513 gidNumber: 513 homeDirectory: /lustre/home/ldap_5
One method would be to add the hostObject objectclass, from ldapns.schema (shipped with pam_ldap source), and add a host attribute with the 'hostname' of the host for each host the user should be allowed to log in to, and set 'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').
Of course, this depends on which pam module you are using, and there are other options.
On Mon, Nov 21, 2011 at 12:05 PM, Jayavant Patil <jayavant.patil82@gmail.com
wrote:
Hi,
I want to restrict login access to some selected client nodes (by
default, openldap allows user access to all client nodes). I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required.
On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister
whm@stanford.eduwrote:
--On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil <
jayavant.patil82@gmail.com> wrote: Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. My question is as
follows: How to restrict a user access to some client nodes?
Regards, Buchan
Mon, Nov 21, 2011 at 1:34 PM Buchan Milne bgmilne@staff.telkomsa.net
wrote:
One method would be to add the hostObject objectclass, from ldapns.schema (shipped with pam_ldap source), and add a host attribute with the
'hostname'
of the host for each host the user should be allowed to log in to, and set 'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').
Of course, this depends on which pam module you are using, and there are
other
options.
I tried by installing pam_ldap module and configuring ldap.conf file but still allowing access to the hosts not mentioned in host attribute. All the user information is available on the client node not specified in the host attribute of that user (checked by firing $getent passwd) .
What is desired is on such client (not specified in host attribute of <user-name>) nodes, $su <user-name> should show *su: <user-name> does not exist*.
Which of the services in /etc/pam.d need to be modified for proper user authorization?
Regards, Buchan
On Mon, Nov 21, 2011 at 3:39 PM, Jayavant Patil jayavant.patil82@gmail.comwrote:
Mon, Nov 21, 2011 at 1:34 PM Buchan Milne bgmilne@staff.telkomsa.net
wrote:
One method would be to add the hostObject objectclass, from ldapns.schema (shipped with pam_ldap source), and add a host attribute with the
'hostname'
of the host for each host the user should be allowed to log in to, and
set
'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').
Of course, this depends on which pam module you are using, and there are
other
options.
I tried by installing pam_ldap module and configuring ldap.conf filebut still allowing access to the hosts not mentioned in host attribute. All the user information is available on the client node not specified in the host attribute of that user (checked by firing $getent passwd) .
What is desired is on such client (not specified in host attribute of<user-name>) nodes, $su <user-name> should show *su: <user-name> does not exist*.
Which of the services in /etc/pam.d need to be modified for properuser authorization?
Regards, Buchan
--
Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
Hi,
I got the desired solution. Thanks Buchan !!!
My next query is as follows:
Suppose we have 1000 hosts and we want to give 'user1' access to 999 hosts (with 1 restricted host). Then, in such case, we need to specify all 999 permitted host names in .ldif file.
There are wildcards like '*' stands for all hosts and '!' stands for excluding host. e.g.
1. host: * will allow access to all client nodes.
2. host: !n1000 will not allow access to n1000 client node.
In the above mentioned scenario, when I specify the following it doesn't work:
host: * host: !n1000
It will allow access to all 1000 hosts.
when I specify the following:
host: *,!n1000
It is restricting access to all 1000 hosts.
Does anybody know how to use these wildcards(*,!) to get the desired solution?
On Tuesday, 22 November 2011 13:35:22 Jayavant Patil wrote:
I got the desired solution. Thanks Buchan !!!
My next query is as follows:
Suppose we have 1000 hosts and we want to give 'user1' access to 999 hosts (with 1 restricted host). Then, in such case, we need to specify all 999 permitted host names in .ldif file.
There are wildcards like '*' stands for all hosts and '!' stands for excluding host. e.g.
- host: *
will allow access to all client nodes.
- host: !n1000
will not allow access to n1000 client node.In the above mentioned scenario, when I specify the following it doesn't work:
host: * host: !n1000
It will allow access to all 1000 hosts.
What is the output of 'hostname' for the host you have indicated here as 'n1000' ?
Also, have you tested the case of only allowing access to this host, using:
host: n1000
(and no other host entries)
when I specify the following:
host: *,!n1000
I don't think this is correct.
It is restricting access to all 1000 hosts.
Does anybody know how to use these wildcards(*,!) to get the desired solution?
From my brief look at the source, the first example you have in (2) above
should work, assuming the hostname you have used is correct.
Regards, Buchan
On Wed, Nov 23, 2011 at 7:18 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Tuesday, 22 November 2011 13:35:22 Jayavant Patil wrote:
I got the desired solution. Thanks Buchan !!!
My next query is as follows:
Suppose we have 1000 hosts and we want to give 'user1' access to 999 hosts (with 1 restricted host). Then, in such case, we need to specify
all
999 permitted host names in .ldif file.
There are wildcards like '*' stands for all hosts and '!' stands for excluding host. e.g.
host: * will allow access to all client nodes.
host: !n1000
will not allow access to n1000 client node.
In the above mentioned scenario, when I specify the following it
doesn't
work:
host: * host: !n1000
It will allow access to all 1000 hosts.
What is the output of 'hostname' for the host you have indicated here as 'n1000' ?
Also, have you tested the case of only allowing access to this host,
using:
host: n1000
yes, this is working (just a single host entry i.e. host: n1000 or host: * or host: !n1000). Still my question is how do I use the two host entries as specified in scenario above (1) ans (2) in order to restrict access to n1000 client node and allowing access to all other 999 client nodes without specifying hostnames for these 999 hosts?
(and no other host entries)
when I specify the following:
host: *,!n1000
I don't think this is correct.
It is restricting access to all 1000 hosts.
Does anybody know how to use these wildcards(*,!) to get the desired solution?
From my brief look at the source, the first example you have in (2) above should work, assuming the hostname you have used is correct.
Regards, Buchan
--On Monday, November 21, 2011 12:05:18 PM +0530 Jayavant Patil jayavant.patil82@gmail.com wrote:
Hi,
I want to restrict login access to some selected client nodes (by default, openldap allows user access to all client nodes).
OpenLDAP alone does not restrict login access to nodes. It can be configured to hold information used by other software to restrict access to nodes. Generally pam_ldap or pam-ldapd is used to control access to individual nodes. Both packages have documentation and well commented configuration files. You should look at there first.
I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required.
Okay, it is still unclear what you have tried. You mean you populated your directory with some data. That is fine, but it is not the OpenLDAP LDAP server that will restrict access. Rather, if you configure your PAM stack correctly it will read the information that you have stored in the directory and use that to control access to your systems.
Note, there are many controls that you can use to get to where you want. For example, you can configure the ACLs on your LDAP server to not release information to some hosts using IP based access control entries. Or you can put your users in a group in the directory and configure pam_ldap to only allow members of the group to login. There are lots of other possible configurations depending on what you works best for you.
Bill
P.S. Top posting makes message streams like this a lot harder to read.
On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister whm@stanford.edu wrote:
--On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil < jayavant.patil82@gmail.com> wrote:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. My question is as follows:
How to restrict a user access to some client nodes?
Please, explain in detail.
It is not clear what you want to do. You need to provide more details before you will get the answer that you want.
For example, if you just want to restrict access to the directory from some nodes, why not use iptables.
If you are talking about restricting login access to some linux nodes using PAM, this is probably a better question for a PAM list. Of course, there will be folks on this list that can answer that question as well, but not without knowing what you are storing in your directory.
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University
openldap-technical@openldap.org
-
Bill MacAllister -
Buchan Milne -
Jayavant Patil