Dan Cox wrote: > I suppose I could put something together.. are you talking about > something from the ground up like setting up nss_ldap, adding entries > into LDAP, etc. or assume some of the prerequisites are in place? If there is already sufficient documentation on setting up nss_ldap or other prerequisites, then just a pointer to that will be fine. > Also I'm assuming some short example usages of the tools I've mentioned? Sure. At least on group based host access restriction, which seems to be the most asked for info. > > Dan- > > Jason Hane wrote: > >> I second that. Dan if you can provide any resources you used to set up >> your netgroups I would hail at your feet. I've been playing with >> netgroups unsuccessfully for the past month and a half and haven't been >> able to get it to work. All my clients are RedHat ES 3&4. >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard >> Megginson >> Sent: Tuesday, January 03, 2006 4:06 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: Server-Side ACLs for pam_ldap >> logins. >> >> This looks very interesting and useful. Would you mind writing up >> something I can post on the Fedora DS wiki? Don't worry about >> formatting, spelling, etc. I can fix that up. >> >> Dan Cox wrote: >> >> >> >>> As an alternative, I've used the ldap/netgroup integration for many >>> years and it seems the cleanest way of doing it when used in >>> conjunction with pam's access.conf. It allows me to push the same >>> /etc/passwd and /etc/security/access.conf to all machines on the >>> network via something like CFEngine. >>> >>> The access.conf consists of something like (allow all QA users >>> access to QA systems): >>> + : @QA@@QAServers : ALL >>> >>> Then I just add or remove the user or machine in the ldap netgroup >>> entry. The real power with using ldap based netgroups is when you >>> realize all of the services that can consume netgroup information, >>> unlike the simple user based host attribute. For example, you can push >>> >> >> >> >> >>> a global /etc/sudoers and specify certain groups of users can run >>> certain commands on particular groups of machines all on one line. >>> CFEngine itself can query netgroups to know what config files to push, >>> >> >> >> >> >>> tools like dsh (distributed ssh) can use netgroups as machine >>> targets for commands, etc. I've administered some very large >>> networks of machines with these tools and it makes it very easy to >>> control. >>> >>> Dan- >>> >>> Jason Hane wrote: >>> >>> >>> >>>> I had a similar question a few weeks ago. I wanted to be able to >>>> assign a list of users access to only a specific number of computers. >>>> >>> >> >> >> >>>> This is the response I got from Gary Tay: >>>> >>>> FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX >>>> >>> >> >> >> >>>> in /etc/passwd and /etc/shadow and "compat" keyword in >>>> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you >>>> want, it has been used by many DS5.2 administrators >>>> >>>> See: >>>> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O >>>> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >>>> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native >>>> LDAP Clients (i.e. controlling user access to host using netgroup >>>> LDAP maps) >>>> >>>> Also see: >>>> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 >>>> 46# >>>> 223846 >>>> Configuring LDAP netgroups >>>> Gary >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of >>>> Michael Montgomery >>>> Sent: Tuesday, January 03, 2006 1:35 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: Server-Side ACLs for pam_ldap >>>> logins. >>>> >>>> Thanks for the response. I'll read up on this, and see if I can >>>> get this working. >>>> >>>> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >>>> >>>> >>>> >>>> >>>>> Michael Montgomery wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> I do agree that this is closer to what I'm looking for, but the >>>>>> first >>>>>> >>>>> >>>> >>>> >>>> >>>> >>>>>> problem I see is that I wanted to allow Groups of people to login >>>>>> to Groups of servers like: >>>>>> >>>>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>>>> >>>>>> So basically, on the people in the Unix group, can login to the www >>>>>> >>>>> >> >> >> >>>>>> servers, and so forth. >>>>>> >>>>>> >>>>>> >>>>> >>>>> Right. The host attribute is per user. You could set up a Roles >>>>> for your users, and use Class of Service to automatically add the >>>>> host attribute to the role members. >>>>> >>>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20060103/4824612c/attachment.bin
