Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
On 10/29/12 09:38 -0500, Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
Or, if you wish to literally store 'sys0*pr*' within your host entry in ldap, your filter could be:
host=sys0*pr*
Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
The PADL pam_ldap module has no such feature. The OpenLDAP nssov overlay does.
Hi Dan,
that trick would work in particular cases, but not sure that it would scale in a large number of lively machines environnement : suppose you want to change ACL for a particular server without changing its name ?
Intutively, I would rather opt for host group management (posix or group of) within ldap ?
Still, issue of which container remains.
--- Olivier
2012/10/29 Dan White dwhite@olp.net:
On 10/29/12 09:38 -0500, Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
Or, if you wish to literally store 'sys0*pr*' within your host entry in ldap, your filter could be:
host=sys0*pr*
-- Dan White
if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
in the ldap directory create entries like or similar:
uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com cn: ldap-host gidNumber: 102 homeDirectory: /home/ldap-host host: vidigal.mydomain.com loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11146 shadowMax: 99999 shadowWarning: 7 uid: ldap-host uidNumber: 1038 userPassword: youonlyknowit
where the important attribute is host.
Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
pam_check_host_attr yes
Then, in the corresponding pam-ldap file, add the following two entries:
account required pam_ldap.so debug account required pam_unix_acct.so
(check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
suomi
On 2012-10-29 13:23, Simone Scremin wrote:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone
On Oct 29, 2012, at 5:12 PM, Howard Chu hyc@symas.com wrote:
Dan White wrote:
...
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
The PADL pam_ldap module has no such feature. The OpenLDAP nssov overlay does.
Assuming I got this correctly, this poses a constrain on the version of OpenLDAP that must be used. Starting from which version the nssov overlay is available?
Thanks
Simone Scremin
And this is clear. This the basic host based authentication using pam-ldap.
From what I know however, it's not possible to set a regex as the value of the host attribute which is my requirement.
See the previous mail with the relevant example about the regex for the hostnames. Am I wrong?
Thank you
Simone
On Oct 29, 2012, at 5:26 PM, anax anax@ayni.com wrote:
if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
in the ldap directory create entries like or similar:
uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com cn: ldap-host gidNumber: 102 homeDirectory: /home/ldap-host host: vidigal.mydomain.com loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11146 shadowMax: 99999 shadowWarning: 7 uid: ldap-host uidNumber: 1038 userPassword: youonlyknowit
where the important attribute is host.
Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
pam_check_host_attr yes
Then, in the corresponding pam-ldap file, add the following two entries:
account required pam_ldap.so debug account required pam_unix_acct.so
(check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
suomi
On 2012-10-29 13:23, Simone Scremin wrote:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone
openldap-technical@openldap.org
-
anax -
Dan White -
Howard Chu -
Olivier -
Simone Scremin