|
Home > Archive > Unix administration > July 2007 > Granualar LDAP host access
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Granualar LDAP host access
|
|
| Colin Walls 2007-06-09, 1:22 pm |
| I have a number of UNIX boxes (say S1, S2 and S3) and a number of users (say
U1, U2). I have set up an LDAP server and am in the later stages of putting
pam_ldap on each of the boxes. What I can't work out is how to allow U1 on
boxes S1 and S2, but not S3 while U2 can access S3 but not S1 or S2.
A couple of bodges come to mind, but I would like to have a solution that is
reasonably maintainable since I have rather more than three boxes and two
users ;-)
--
Colin Walls
Remove the pink meat to mail me
| |
| Michael Zawrotny 2007-06-11, 1:22 pm |
| Colin Walls <colin@murorum.demon.co.uk> wrote:
> I have a number of UNIX boxes (say S1, S2 and S3) and a number of users (say
> U1, U2). I have set up an LDAP server and am in the later stages of putting
> pam_ldap on each of the boxes. What I can't work out is how to allow U1 on
> boxes S1 and S2, but not S3 while U2 can access S3 but not S1 or S2.
>
> A couple of bodges come to mind, but I would like to have a solution that is
> reasonably maintainable since I have rather more than three boxes and two
> users ;-)
I had a somewhat similar need a while back. In my case, limiting
console access was not an issue. I was able to ensure for each host
that the allowed users shared a common group. In that scenario, using
the ssh AllowGroups handled things easily.
For more flexible and arbitrary combinations you might look into
either the pam_filter option of pam_ldap, or the pam_access module.
Mike
--
Michael Zawrotny
Institute of Molecular Biophysics
Florida State university | email: zawrotny@sb.fsu.edu
Tallahassee, FL 32306-4380 | phone: (850) 644-0069
| |
| Keith Keller 2007-06-11, 1:22 pm |
| On 2007-06-09, Colin Walls <colin@murorum.demon.co.uk> wrote:
> I have a number of UNIX boxes (say S1, S2 and S3) and a number of users (say
> U1, U2). I have set up an LDAP server and am in the later stages of putting
> pam_ldap on each of the boxes. What I can't work out is how to allow U1 on
> boxes S1 and S2, but not S3 while U2 can access S3 but not S1 or S2.
You can use the pam_access module to limit access to groups and/or
individual users; this can be used whether your users are local or
obtained from LDAP. For whatever reason my systems don't have the man
page for pam_access, but you should be able to find it (and man
access.conf) via Google. Your OS may also have a well-documented
skeleton access.conf file available in /etc/security/access.conf .
I have done this before, and it works fine, but it requires local
administration of /etc/security/access.conf (i.e., while the groups and
users are in LDAP, the list of authorized groups/users for a given host
is located on the host).
You can also use the pam_ldap specific authorization mechanisms. I
can't at the moment find online docs for these mechanisms; if you have
an important LDAP server, you might consider buying the ORA book _LDAP
System Administration_, which talks about these authz mechanisms and a
bunch of other stuff. We have a fairly small LDAP configuration, but
I've found the book very helpful.
--keith
--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
| |
|
| On Jun 9, 7:30 am, Colin Walls <c...@murorum.demon.co.uk> wrote:
> I have a number of UNIX boxes (say S1, S2 and S3) and a number of users (say
> U1, U2). I have set up an LDAP server and am in the later stages of putting
> pam_ldap on each of the boxes. What I can't work out is how to allow U1 on
> boxes S1 and S2, but not S3 while U2 can access S3 but not S1 or S2.
>
> A couple of bodges come to mind, but I would like to have a solution that is
> reasonably maintainable since I have rather more than three boxes and two
> users ;-)
>
> --
> Colin Walls
> Remove the pink meat to mail me
For Solaris, you can modify /etc/nsswitch.conf,
passwd: compat
passwd_compat: ldap
Then in /etc/passwd and /etc/shadow, add entries using netgroups which
contain users allowed to login to your host.
/etc/passwd:
+@allowedusers:x:::::
/etc/shadow:
+@allowedusers:NP:::::::
However, note that the compat feature is not guaranteed to remain in
future releases of Solaris.
|
|
|
|
|