Hey all!
I made simple ldap auth on my servers via pam_ldap. It's ok. Now I want to add users that can auth on several servers. BUT. I want to control on what servers user can login only on ldap server. I mean user user1 can must login only on server1,server2 and server3. And user2 can login only on server5 and server2. Theoretically It's possible to do with "pam_groupdn", set it it ldap.conf to server name and create as many groups as I have servers in openldap. Then I add users to some groups that they has to have access. I can group servers in some group like "city1_group" that contain all servers in city1 and add user to that group and it will have access to all servers in city1.
May be anyone know another practice? Looking for best practice or something like it. Share your experience please.
Thanks!!!
On Thu, 18 Nov 2010, c0re wrote:
I mean user user1 can must login only on server1,server2 and server3. And user2 can login only on server5 and server2.
You could probably overload almost anything (dyngroups, OpenLDAP ACLs, search filters, who knows) to accomplish this, but the cleanest way to do this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap because you mentioned "pam_groupdn" which is not an OpenLDAP configuration directive.
can you give an example of usage pam_check_host_attr?
And how can I use group of hosts and assign user to this group to permit access user to this group avoiding enumerating hosts in users dn each time I add new user?
What should I set in "host:"? Hostname of server? How host attr are sent to pam_ldap?
2010/11/18 Aaron Richton richton@nbcs.rutgers.edu:
On Thu, 18 Nov 2010, c0re wrote:
I mean user user1 can must login only on server1,server2 and server3. And user2 can login only on server5 and server2.
You could probably overload almost anything (dyngroups, OpenLDAP ACLs, search filters, who knows) to accomplish this, but the cleanest way to do this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap because you mentioned "pam_groupdn" which is not an OpenLDAP configuration directive.
openldap-technical@openldap.org
-
Aaron Richton -
c0re