Hi, I connected ldap linux clients to the OpenLDAP server. I need to make a certain group of users able to connect to certain computers. How do I do this ?
Take sssd on you server and put the users in groups. With sssd you can geant access to a group, so only the members of the group can log in.
Am 19.02.20 um 09:55 schrieb Клеусов Владимир Сергеевич:
Hi, I connected ldap linux clients to the OpenLDAP server. I need to make a certain group of users able to connect to certain computers. How do I do this ?
might as well setup public key auth with sssd and ldap https://www.ossramblings.com/using-ldap-to-store-ssh-public-keys-with-sssd https://www.ossramblings.com/using-ldap-to-store-ssh-public-keys-with-sssd
On Feb 19, 2020, at 9:22 AM, Stefan Kania stefan@kania-online.de wrote:
Take sssd on you server and put the users in groups. With sssd you can geant access to a group, so only the members of the group can log in.
Am 19.02.20 um 09:55 schrieb Клеусов Владимир Сергеевич:
Hi, I connected ldap linux clients to the OpenLDAP server. I need to make a certain group of users able to connect to certain computers. How do I do this ?
-- Stefan Kania Landweg 13 25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html
On 2/19/20 9:55 AM, Клеусов Владимир Сергеевич wrote:
I connected ldap linux clients to the OpenLDAP server. I need to make a certain group of users able to connect to certain computers. How do I do this ?
With most LDAP posix user management deployments you have to configure the Linux clients to query only certain user groups or configure other PAM access control or similar.
My Æ-DIR (based on OpenLDAP) provides views to the Linux clients based on hosts' service group membership and the user groups referenced:
https://www.ae-dir.com/docs.html#er-roles
So no need to configure the clients (except bind-DN and host password).
If you have many clients consider using aehostd for better search performance / less load (see https://ae-dir.com/aehostd.html).
Ciao, Michael.
If trying to access via ssh you can add to sshd_config file
# you gonna want root group.... AllowGroups root blabla bla2 bla3
Using sssd to map the groups in linux
my .02
On Wed, Feb 19, 2020 at 1:01 PM Michael Ströder michael@stroeder.com wrote:
On 2/19/20 9:55 AM, Клеусов Владимир Сергеевич wrote:
I connected ldap linux clients to the OpenLDAP server. I need to make a certain group of users able to connect to certain computers. How do I do this ?
With most LDAP posix user management deployments you have to configure the Linux clients to query only certain user groups or configure other PAM access control or similar.
My Æ-DIR (based on OpenLDAP) provides views to the Linux clients based on hosts' service group membership and the user groups referenced:
https://www.ae-dir.com/docs.html#er-roles
So no need to configure the clients (except bind-DN and host password).
If you have many clients consider using aehostd for better search performance / less load (see https://ae-dir.com/aehostd.html).
Ciao, Michael.
On 2/19/20 7:05 PM, Dave Macias wrote:
If trying to access via ssh you can add to sshd_config file
# you gonna want root group.... AllowGroups root blabla bla2 bla3
Yes, that's one of the client-side solutions for limiting SSH access. But you have to configure all the clients. With a decent config management that's not that hard anymore. Still you have to model the access control scheme in your config management.
Still it's much nicer to just modify LDAP entries to make an access control change without having to reconfigure the Linux client systems.
Ciao, Michael.
On Wed, Feb 19, 2020 at 1:01 PM Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com> wrote:
On 2/19/20 9:55 AM, Клеусов Владимир Сергеевич wrote: > I connected ldap linux clients to the OpenLDAP server. > I need to make a certain group of users able to connect to certain > computers. How do I do this ? With most LDAP posix user management deployments you have to configure the Linux clients to query only certain user groups or configure other PAM access control or similar. My Æ-DIR (based on OpenLDAP) provides views to the Linux clients based on hosts' service group membership and the user groups referenced: https://www.ae-dir.com/docs.html#er-roles So no need to configure the clients (except bind-DN and host password). If you have many clients consider using aehostd for better search performance / less load (see https://ae-dir.com/aehostd.html). Ciao, Michael.
openldap-technical@openldap.org
-
Dave Macias -
Michael Ströder -
Neal Lawson -
Stefan Kania -
Клеусов Владимир Сергеевич