1:11 a.m.
Guys,
I have a query, lets take a scenario :
Assume we have 2 servers "Server1" and "Server2" and 2 groups
"Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group "Admin", but when he logs in to
"Server2" he will get group "ITTech". Also it may vary for different
users
like when "Kris" logs in to Server1 he may get a group called "ITTech"
and
when he logs in to "Server2" he will get some other group say
"Security".
Can it be possible by OpenLDAP ? If this is achieved then we are planning to
have SUDO files based on the grooups.
It would be great if you can provide me some pointers or how-to.
Regards,
Neo
8:40 a.m.
On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
Guys,
I have a query, lets take a scenario :
Assume we have 2 servers "Server1" and "Server2" and 2 groups
"Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group "Admin", but when he logs in
to
"Server2" he will get group "ITTech". Also it may vary for different
users
like when "Kris" logs in to Server1 he may get a group called
"ITTech" and
when he logs in to "Server2" he will get some other group say
"Security".
Can it be possible by OpenLDAP ?
IMHO, this is a bad idea. It will specifically be problematic if you have any
files shared/replicated/backed up between servers (e.g. via NFS).
If this is achieved then we are planning
to have SUDO files based on the grooups.
It would be much more effective to have your sudo rules in LDAP, and apply a
rule to a set of users/groups to a collection/netgroup of hosts.
Regards,
Buchan
2:35 a.m.
Hi.
On 08/12/2011 07:40 PM, Buchan Milne wrote:
On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
> Guys,
>
> I have a query, lets take a scenario :
>
> Assume we have 2 servers "Server1" and "Server2" and 2 groups
"Admin" and
> "ITTech", What is needed is like say when a user "bob" logging
> in to "Server1" he will get the group "Admin", but when he logs
in to
> "Server2" he will get group "ITTech". Also it may vary for
different users
> like when "Kris" logs in to Server1 he may get a group called
"ITTech" and
> when he logs in to "Server2" he will get some other group say
"Security".
> Can it be possible by OpenLDAP ?
IMHO, this is a bad idea. It will specifically be problematic if you have any
files shared/replicated/backed up between servers (e.g. via NFS).
We are using this functionality without any problems. :)
This is feature of nss_ldap.
ldap:
personals user groups:
ou=groups,o=company
first project groups:
cn=group1,ou=project1,o=company
cn=group2,ou=project1,o=company
second project groups:
cn=group1,ou=project2,o=company
cn=group2,ou=project2,o=company
"Server1" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project1,o=company?one
"Server2" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project2,o=company?one
WBR
> If this is achieved then we are planning
> to have SUDO files based on the grooups.
It would be much more effective to have your sudo rules in LDAP, and apply a
rule to a set of users/groups to a collection/netgroup of hosts.
Regards,
Buchan
3:21 a.m.
This is exactly what I am trying to achieve as well but with the help of aliased objects
so that I have common data (think passwords) across all applicable servers without having
to replicate it for each host. I can't however get the aliases to follow across
different dits.
I'd be curious to know how he deals with scenarios of needing same groups or users on
different servers.
On Aug 14, 2011, at 5:35 AM, Dmitriy Kirhlarov <dimma(a)higis.ru> wrote:
Hi.
On 08/12/2011 07:40 PM, Buchan Milne wrote:
> On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
>> Guys,
>>
>> I have a query, lets take a scenario :
>>
>> Assume we have 2 servers "Server1" and "Server2" and 2 groups
"Admin" and
>> "ITTech", What is needed is like say when a user "bob"
logging
>> in to "Server1" he will get the group "Admin", but when he
logs in to
>> "Server2" he will get group "ITTech". Also it may vary for
different users
>> like when "Kris" logs in to Server1 he may get a group called
"ITTech" and
>> when he logs in to "Server2" he will get some other group say
"Security".
>> Can it be possible by OpenLDAP ?
>
> IMHO, this is a bad idea. It will specifically be problematic if you have any
> files shared/replicated/backed up between servers (e.g. via NFS).
We are using this functionality without any problems. :)
This is feature of nss_ldap.
ldap:
personals user groups:
ou=groups,o=company
first project groups:
cn=group1,ou=project1,o=company
cn=group2,ou=project1,o=company
second project groups:
cn=group1,ou=project2,o=company
cn=group2,ou=project2,o=company
"Server1" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project1,o=company?one
"Server2" nss_ldap.conf:
nss_base_group ou=groups,o=company?sub
nss_base_group ou=project2,o=company?one
WBR
>> If this is achieved then we are planning
>> to have SUDO files based on the grooups.
>
> It would be much more effective to have your sudo rules in LDAP, and apply a
> rule to a set of users/groups to a collection/netgroup of hosts.
>
> Regards,
> Buchan
>
8:59 a.m.
On 10/08/2011 09:11, pradyumna dash wrote:
Assume we have 2 servers "Server1" and "Server2"
and 2 groups "Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group "Admin", but when he logs in to
"Server2"
he will get group "ITTech". Also it may vary for different users
like when "Kris" logs in to Server1 he may get a group called
"ITTech" and when
he logs in to "Server2" he will get some other group say "Security".
I tried this ages ago with a mapping for nss_ldap along these lines:
nss_map_attribute gidNumber gidNumberServer1
gidNumberServer1 being a custom attribute holding the primary GID to be
used for Server1.
Unfortunately nss_ldap didn't like this, and the groups couldn't be
looked up with 'getent group'.
See the discussion at
<http://old.nabble.com/nss_map_attribute-gidNumber-problem-td27545035.html...
- there was a possible solution suggested which is in a draft RFC, but
the link to it no longer works.
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
9:22 a.m.
Below sounds like your servers are configured inconsistently. Why wouldn't
you have user "bob" be in the same group on every server? That would
avoid this whole question.
In your position I would get some sensible, deployment-wide standard
going and then create my sudoers and ldap directory based on that standard.
On Wed, Aug 10, 2011 at 10:11:17AM +0200, pradyumna dash wrote:
Guys,
I have a query, lets take a scenario :
Assume we have 2 servers "Server1" and "Server2" and 2 groups
"Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group "Admin", but when he logs in
to
"Server2" he will get group "ITTech".� Also it may vary for
different
users
like when "Kris" logs in to Server1 he may get a group called
"ITTech" and
when he logs in to "Server2"� he will get some other group say
"Security".
Can it be possible by OpenLDAP ? If this is achieved then we are planning
to have SUDO files based on the grooups.
It would be great if you can provide me some pointers or how-to.
Regards,
Neo
5:05 a.m.
Hi,
I have configured SUDO with OpenLDAP. I have created a group called
"sysadm" and assign the below commands which the users belong to this group
can execute. Now created a user called "bob" and assign him to this group.
When am logging in as bob, and run
"sudo -l", its asking me for the password and after i put the correct
password its showing me the "sudoCommand" list. But it also executes the
command "!/sbin/route" too which he should not able to execute, why its
happening? did i do anything wrong.
dn: cn=%sysadm,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %sysadm
sudoUser: %sysadm
sudoHost: ALL
sudoOption: !authenticate
structuralObjectClass: sudoRole
entryUUID: d6819d80-5c39-1030-9d7c-19f66ff1c84f
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20110816095703Z
sudoCommand: /sbin/shutdown
sudoCommand: /sbin/halt
sudoCommand: /sbin/reboot
sudoCommand: /sbin/yast
sudoCommand: /sbin/yast2
sudoCommand: /sbin/date
sudoCommand: /sbin/kill
sudoCommand: /usr/bin/killall
sudoCommand: /usr/bin/passwd
sudoCommand: /bin/su
sudoCommand: /bin/rpm
sudoCommand: /sbin/ifconfig
sudoCommand: /sbin/ifup
sudoCommand: !/sbin/route
entryCSN: 20110826090949.582253Z#000000#000#000000
modifiersName: cn=manager,dc=example,dc=com
modifyTimestamp: 20110826090949Z
Regards,
Neo
On Wed, Aug 10, 2011 at 10:11 AM, pradyumna dash <neomatrixgem(a)gmail.com>wrote:
Guys,
I have a query, lets take a scenario :
Assume we have 2 servers "Server1" and "Server2" and 2 groups
"Admin" and
"ITTech", What is needed is like say when a user "bob" logging
in to "Server1" he will get the group "Admin", but when he logs in
to
"Server2" he will get group "ITTech". Also it may vary for different
users
like when "Kris" logs in to Server1 he may get a group called
"ITTech" and
when he logs in to "Server2" he will get some other group say
"Security".
Can it be possible by OpenLDAP ? If this is achieved then we are planning
to have SUDO files based on the grooups.
It would be great if you can provide me some pointers or how-to.
Regards,
Neo
4215
days inactive
4242
days old
openldap-technical@openldap.org
6 comments
6 participants
participants (6)
-
Buchan Milne -
Christopher Wood -
Dmitriy Kirhlarov -
Liam Gretton -
pradyumna dash -
Tyler Gates