Low Sensitivity/Aerospace Internal Use Only
NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but implement it through LDAP?
Warron French, MBA, SCSA
----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM -----
From: Net Warrior netwarrior863@gmail.com To: openldap-technical openldap-technical@openldap.org, Date: 12/23/2013 07:36 AM Subject: host Attribute Sent by: openldap-technical-bounces@OpenLDAP.org
Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got.
A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute
I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html
Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong?
Thanks for your time and support Regards
Low Sensitivity/Aerospace Internal Use Only
Hi French
No tcp_wrapper behaviour, just found that article and I'm trying to make it work as well, maybe I missundertood what the host attribute really is for or the article is wrong or I'm doing something wrong, at least in the logs I can see the pam_check_host is being evaluated.
slapd[20810]: conn=5374 op=4 MOD attr=host
Thanks for your time and support. Regard
2013/12/23, Warron S French Warron.S.French@aero.org:
Low Sensitivity/Aerospace Internal Use Only
NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but implement it through LDAP?
Warron French, MBA, SCSA
----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM
From: Net Warrior netwarrior863@gmail.com To: openldap-technical openldap-technical@openldap.org, Date: 12/23/2013 07:36 AM Subject: host Attribute Sent by: openldap-technical-bounces@OpenLDAP.org
Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got.
A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute
I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html
Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong?
Thanks for your time and support Regards
Low Sensitivity/Aerospace Internal Use Only
Net Warrior wrote:
Hi French
No tcp_wrapper behaviour, just found that article and I'm trying to make it work as well, maybe I missundertood what the host attribute really is for or the article is wrong or I'm doing something wrong, at least in the logs I can see the pam_check_host is being evaluated.
all of this pam_ldap stuff is obsolete. nssov implements much finer grained authorization.
slapd[20810]: conn=5374 op=4 MOD attr=host
Thanks for your time and support. Regard
2013/12/23, Warron S French Warron.S.French@aero.org:
Low Sensitivity/Aerospace Internal Use Only
NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but implement it through LDAP?
Warron French, MBA, SCSA
----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM
From: Net Warrior netwarrior863@gmail.com To: openldap-technical openldap-technical@openldap.org, Date: 12/23/2013 07:36 AM Subject: host Attribute Sent by: openldap-technical-bounces@OpenLDAP.org
Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got.
A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute
I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html
Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong?
Thanks for your time and support Regards
Low Sensitivity/Aerospace Internal Use Only
Hi Howard.
Thanks for the advice, I noticed that it works on some systems, I have some old rhel4.8 ( lots of them ) where is not working, but with new centos 6.x it works fine and eventhough I specify it's IP only and not the FQDN, on the other hand did not know about the nssov overlay, I'll take a look, and I'll keep researching the issue on the old systems with openldap-2.2.13-7.4E , openldap-clients-2.2.13-7.4E and nss_ldap-226-18.
Thank you very much for your time and support Regards.
2013/12/23, Howard Chu hyc@symas.com:
Net Warrior wrote:
Hi French
No tcp_wrapper behaviour, just found that article and I'm trying to make it work as well, maybe I missundertood what the host attribute really is for or the article is wrong or I'm doing something wrong, at least in the logs I can see the pam_check_host is being evaluated.
all of this pam_ldap stuff is obsolete. nssov implements much finer grained
authorization.
slapd[20810]: conn=5374 op=4 MOD attr=host
Thanks for your time and support. Regard
2013/12/23, Warron S French Warron.S.French@aero.org:
Low Sensitivity/Aerospace Internal Use Only
NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but implement it through LDAP?
Warron French, MBA, SCSA
----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM
From: Net Warrior netwarrior863@gmail.com To: openldap-technical openldap-technical@openldap.org, Date: 12/23/2013 07:36 AM Subject: host Attribute Sent by: openldap-technical-bounces@OpenLDAP.org
Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got.
A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute
I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html
Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong?
Thanks for your time and support Regards
Low Sensitivity/Aerospace Internal Use Only
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org
-
Howard Chu -
Net Warrior -
Warron S French