Hello, I've been working on implementing a LDAP solution for the last 8 months (in-between task, you know how it is :D )
I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!)
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership.
One of my primary goals is to have it work as much "out of the box" as possible for RHEL4 and 5 (and CentOS )
That means I want to avoid having to make changes to hosts (I have around 60-80 linux servers today that I want over on LDAP) So I try to avoid the solutions involving /etc/security/*
I have it working with the ldapns schema with no changes to PAM.
But this means I have to enter the specific host into each user record.
But I'm a contrary and difficult guy, and love making problems for my self so I want to assign groups of users to groups of servers.
Oh..and SSH keys :D..but that is for when life looks sunny and I need to be reminded that the world is a bad place.
is there anyone that can point me towards resources that are written on this?..I already have a list of links I've been reading, and are adding those here in case other people want to look at them:
https://help.ubuntu.com/community/LDAPClientAuthentication http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf http://www.padl.com/OSS/nss_ldap.html http://www.padl.com/OSS/pam_ldap.html http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_auth...
Thanks for taking the time to read this :)
openldap-technical@openldap.org