2010/11/19 Phuong Marie VUONG mangocphung@gmail.com:
Hello,
First, im sorry about my English. I share here my experience which worked for limit acces host/group of host for user...
In the configuration of ldap client /etc/ldap.conf , i have activate the host attribute and a filter in nss_base_passwd pam_check_host_attr yes nss_base_passwd ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)
In the user entry, add the host attribute And in the host set, you can put the pattern value correpond of the level that you want to authorize to connect , for exe : hostname.domain or PatternofHostGroup or
Hope that can help
2010/11/19 c0re nr1c0re@gmail.com
can you give an example of usage pam_check_host_attr?
And how can I use group of hosts and assign user to this group to permit access user to this group avoiding enumerating hosts in users dn each time I add new user?
What should I set in "host:"? Hostname of server? How host attr are sent to pam_ldap?
2010/11/18 Aaron Richton richton@nbcs.rutgers.edu:
On Thu, 18 Nov 2010, c0re wrote:
I mean user user1 can must login only on server1,server2 and server3. And user2 can login only on server5 and server2.
You could probably overload almost anything (dyngroups, OpenLDAP ACLs, search filters, who knows) to accomplish this, but the cleanest way to do this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap because you mentioned "pam_groupdn" which is not an OpenLDAP configuration directive.
-- Milan&Phuong 06.17.34.09.77 09.53.57.04.94 http://www.phuong.fr/photos/
I moved a bit different way.
I used pam_groupdn in ldap.conf and created a group for each server. Now if I add user to ldap, I need to add to groups "memberUid: `userdn`". And user will be able to login to those servers in which groups is user as a member. But if I got 100-200 servers and want to give access to new user to all this servers, I should add user to all groups. Of course it's a waste of time and it's possible to be done via some external shell/perl script, but may be there another way in openldap?
pam_check_host_attr do almost same. If I add user - I need to add all hosts to user attr "host:". So it's same work I think.
c0re wrote:
2010/11/19 Phuong Marie VUONGmangocphung@gmail.com:
Hello,
First, im sorry about my English. I share here my experience which worked for limit acces host/group of host for user...
In the configuration of ldap client /etc/ldap.conf , i have activate the host attribute and a filter in nss_base_passwd pam_check_host_attr yes nss_base_passwd ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)
In the user entry, add the host attribute And in the host set, you can put the pattern value correpond of the level that you want to authorize to connect , for exe : hostname.domain or PatternofHostGroup or
Hope that can help
2010/11/19 c0renr1c0re@gmail.com
can you give an example of usage pam_check_host_attr?
And how can I use group of hosts and assign user to this group to permit access user to this group avoiding enumerating hosts in users dn each time I add new user?
What should I set in "host:"? Hostname of server? How host attr are sent to pam_ldap?
2010/11/18 Aaron Richtonrichton@nbcs.rutgers.edu:
On Thu, 18 Nov 2010, c0re wrote:
I mean user user1 can must login only on server1,server2 and server3. And user2 can login only on server5 and server2.
You could probably overload almost anything (dyngroups, OpenLDAP ACLs, search filters, who knows) to accomplish this, but the cleanest way to do this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap because you mentioned "pam_groupdn" which is not an OpenLDAP configuration directive.
-- Milan&Phuong 06.17.34.09.77 09.53.57.04.94 http://www.phuong.fr/photos/
I moved a bit different way.
I used pam_groupdn in ldap.conf and created a group for each server. Now if I add user to ldap, I need to add to groups "memberUid: `userdn`". And user will be able to login to those servers in which groups is user as a member. But if I got 100-200 servers and want to give access to new user to all this servers, I should add user to all groups. Of course it's a waste of time and it's possible to be done via some external shell/perl script, but may be there another way in openldap?
pam_check_host_attr do almost same. If I add user - I need to add all hosts to user attr "host:". So it's same work I think.
Read up on the nssov overlay.
2010/11/29 Howard Chu hyc@symas.com:
c0re wrote:
2010/11/19 Phuong Marie VUONGmangocphung@gmail.com:
Hello,
First, im sorry about my English. I share here my experience which worked for limit acces host/group of host for user...
In the configuration of ldap client /etc/ldap.conf , i have activate the host attribute and a filter in nss_base_passwd pam_check_host_attr yes nss_base_passwd
ou=People,dc=xxxxx,dc=xxxx?one?|(host=hostname.domain)(host=PatternofHostGroup)(host=*)
In the user entry, add the host attribute And in the host set, you can put the pattern value correpond of the level that you want to authorize to connect , for exe : hostname.domain or PatternofHostGroup or
Hope that can help
2010/11/19 c0renr1c0re@gmail.com
can you give an example of usage pam_check_host_attr?
And how can I use group of hosts and assign user to this group to permit access user to this group avoiding enumerating hosts in users dn each time I add new user?
What should I set in "host:"? Hostname of server? How host attr are sent to pam_ldap?
2010/11/18 Aaron Richtonrichton@nbcs.rutgers.edu:
On Thu, 18 Nov 2010, c0re wrote:
I mean user user1 can must login only on server1,server2 and server3. And user2 can login only on server5 and server2.
You could probably overload almost anything (dyngroups, OpenLDAP ACLs, search filters, who knows) to accomplish this, but the cleanest way to do this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap because you mentioned "pam_groupdn" which is not an OpenLDAP configuration directive.
-- Milan&Phuong 06.17.34.09.77 09.53.57.04.94 http://www.phuong.fr/photos/
I moved a bit different way.
I used pam_groupdn in ldap.conf and created a group for each server. Now if I add user to ldap, I need to add to groups "memberUid: `userdn`". And user will be able to login to those servers in which groups is user as a member. But if I got 100-200 servers and want to give access to new user to all this servers, I should add user to all groups. Of course it's a waste of time and it's possible to be done via some external shell/perl script, but may be there another way in openldap?
pam_check_host_attr do almost same. If I add user - I need to add all hosts to user attr "host:". So it's same work I think.
Read up on the nssov overlay.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Can't understand about how to use nssov overlay in my case, but understood about dynamic groups overlay and it should fit to my needs.
Also I've got freeradius that authenticate users by looking in ldap. Works good. But can't understand about how to restrict users to login to some devices. At that moment all users has access to all devices via radius. Same requests - this must be controlled via openldap.
May be someone uses freeradius and has already made such restritions and can give me some tips.
Thanks!
openldap-technical@openldap.org