I'm wondering - can I use something like netgroups in the LDAP
host-based ("host" attribute) for access restriction? I have over 1000
servers and there is no way I can list every combination of user/host
explicity.
I have looked at pam_access with LDAP netgroups, which is great but
there is one crucial problem - if a user needs temporary access for
example to a certain machine and this falls outside of my netgroup
definitions then there seems to be no way to allow specific access using
pam_access and /etc/security/access.conf, without having to push out
over 1000 new copies of this file. I need to be able to grant special
access like this on the LDAP server. The only thing I can think of is
this in access.conf:
+ @special@@special : ALL
where the "special" netgroup contains nisnetgroup triples like
(user,machine,)
Normally, you don't use both fields in a netgroup triple but this works
fine in access.conf because PAM uses the user part when the netgroup is
used in the user position of the user at host <mailto:user at host> field and
uses the machine part when the netgroup is in the "host" position. I
thought this was really nice until I realised that this means that if
the "special" netgroup contains several entries like:
(user1,machine1)
(user2,machine2)
Then user2 also gets access to machine1 and user1 gets access to machine
2 because PAM doesn't understand that these netgroup entries are
supposed to be kept together - it just parses the user and machine parts
completely seperately.
I just need to have one entry in access.conf that will cover
special-case creation on the LDAP server but it doesn't seem to be
possible, hence I am now looking at the LDAP-based host access thing.
--
Philip Kime
NOPS Systems Architect
310 401 0407
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060713/8c0d5cdf/attachment.html
