I suppose I could put something together.. are you talking about something from the ground up like setting up nss_ldap, adding entries into LDAP, etc. or assume some of the prerequisites are in place? Also I'm assuming some short example usages of the tools I've mentioned? Dan- Jason Hane wrote: >I second that. Dan if you can provide any resources you used to set up >your netgroups I would hail at your feet. I've been playing with >netgroups unsuccessfully for the past month and a half and haven't been >able to get it to work. All my clients are RedHat ES 3&4. > >-----Original Message----- >From: fedora-directory-users-bounces at redhat.com >[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >Megginson >Sent: Tuesday, January 03, 2006 4:06 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: Server-Side ACLs for pam_ldap >logins. > >This looks very interesting and useful. Would you mind writing up >something I can post on the Fedora DS wiki? Don't worry about >formatting, spelling, etc. I can fix that up. > >Dan Cox wrote: > > > >>As an alternative, I've used the ldap/netgroup integration for many >>years and it seems the cleanest way of doing it when used in >>conjunction with pam's access.conf. It allows me to push the same >>/etc/passwd and /etc/security/access.conf to all machines on the >>network via something like CFEngine. >> >>The access.conf consists of something like (allow all QA users access >>to QA systems): >>+ : @QA@@QAServers : ALL >> >>Then I just add or remove the user or machine in the ldap netgroup >>entry. The real power with using ldap based netgroups is when you >>realize all of the services that can consume netgroup information, >>unlike the simple user based host attribute. For example, you can push >> >> > > > >>a global /etc/sudoers and specify certain groups of users can run >>certain commands on particular groups of machines all on one line. >>CFEngine itself can query netgroups to know what config files to push, >> >> > > > >>tools like dsh (distributed ssh) can use netgroups as machine targets >>for commands, etc. I've administered some very large networks of >>machines with these tools and it makes it very easy to control. >> >>Dan- >> >>Jason Hane wrote: >> >> >> >>>I had a similar question a few weeks ago. I wanted to be able to >>>assign a list of users access to only a specific number of computers. >>> >>> > > > >>>This is the response I got from Gary Tay: >>> >>>FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX >>> >>> > > > >>>in /etc/passwd and /etc/shadow and "compat" keyword in >>>/etc/nsswitch.conf) LDAP maps could be setup to achieve what you >>>want, it has been used by many DS5.2 administrators >>> >>>See: >>>http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O >>>pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >>>Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native >>>LDAP Clients (i.e. controlling user access to host using netgroup >>>LDAP maps) >>> >>>Also see: >>>http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 >>>46# >>>223846 >>>Configuring LDAP netgroups >>>Gary >>>-----Original Message----- >>>From: fedora-directory-users-bounces at redhat.com >>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>Michael Montgomery >>>Sent: Tuesday, January 03, 2006 1:35 PM >>>To: General discussion list for the Fedora Directory server project. >>>Subject: Re: Server-Side ACLs for pam_ldap >>>logins. >>> >>>Thanks for the response. I'll read up on this, and see if I can get >>>this working. >>> >>>On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >>> >>> >>> >>> >>>>Michael Montgomery wrote: >>>> >>>> >>>> >>>> >>>> >>>>>I do agree that this is closer to what I'm looking for, but the >>>>>first >>>>> >>>>> >>>>> >>> >>> >>> >>> >>>>>problem I see is that I wanted to allow Groups of people to login >>>>>to Groups of servers like: >>>>> >>>>>cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>>>cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>>> >>>>>So basically, on the people in the Unix group, can login to the www >>>>> >>>>> > > > >>>>>servers, and so forth. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Right. The host attribute is per user. You could set up a Roles >>>>for your users, and use Class of Service to automatically add the >>>>host attribute to the role members. >>>> >>>> >>>> >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users at redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
