Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
On 10/29/12 09:38 -0500, Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
Or, if you wish to literally store 'sys0*pr*' within your host entry in ldap, your filter could be:
host=sys0*pr*
Hi Dan,
that trick would work in particular cases, but not sure that it would scale in a large number of lively machines environnement : suppose you want to change ACL for a particular server without changing its name ?
Intutively, I would rather opt for host group management (posix or group of) within ldap ?
Still, issue of which container remains.
--- Olivier
2012/10/29 Dan White dwhite@olp.net:
On 10/29/12 09:38 -0500, Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
Or, if you wish to literally store 'sys0*pr*' within your host entry in ldap, your filter could be:
host=sys0*pr*
-- Dan White
Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
The PADL pam_ldap module has no such feature. The OpenLDAP nssov overlay does.
On Oct 29, 2012, at 5:12 PM, Howard Chu hyc@symas.com wrote:
Dan White wrote:
...
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
The PADL pam_ldap module has no such feature. The OpenLDAP nssov overlay does.
Assuming I got this correctly, this poses a constrain on the version of OpenLDAP that must be used. Starting from which version the nssov overlay is available?
Thanks
Simone Scremin
if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
in the ldap directory create entries like or similar:
uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com cn: ldap-host gidNumber: 102 homeDirectory: /home/ldap-host host: vidigal.mydomain.com loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11146 shadowMax: 99999 shadowWarning: 7 uid: ldap-host uidNumber: 1038 userPassword: youonlyknowit
where the important attribute is host.
Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
pam_check_host_attr yes
Then, in the corresponding pam-ldap file, add the following two entries:
account required pam_ldap.so debug account required pam_unix_acct.so
(check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
suomi
On 2012-10-29 13:23, Simone Scremin wrote:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone
And this is clear. This the basic host based authentication using pam-ldap.
From what I know however, it's not possible to set a regex as the value of the host attribute which is my requirement.
See the previous mail with the relevant example about the regex for the hostnames. Am I wrong?
Thank you
Simone
On Oct 29, 2012, at 5:26 PM, anax anax@ayni.com wrote:
if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
in the ldap directory create entries like or similar:
uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com cn: ldap-host gidNumber: 102 homeDirectory: /home/ldap-host host: vidigal.mydomain.com loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11146 shadowMax: 99999 shadowWarning: 7 uid: ldap-host uidNumber: 1038 userPassword: youonlyknowit
where the important attribute is host.
Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
pam_check_host_attr yes
Then, in the corresponding pam-ldap file, add the following two entries:
account required pam_ldap.so debug account required pam_unix_acct.so
(check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
suomi
On 2012-10-29 13:23, Simone Scremin wrote:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone
openldap-technical@openldap.org
-
anax -
Dan White -
Howard Chu -
Olivier -
Simone Scremin