I'm doing this by setting the pam_filter attribute on each server in my /etc/ldap.conf file. This means an entry like the following will only allow users which have a host attribute which contains either the server's name or a wildcard. Just don't forget that for authentication purposes, a user is invisible to a given host unless the account has both the host attribute and the proper server name. pam_filter |(host=server1)(host=\*) Cheers, Greg Copeland > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- > users-bounces at redhat.com] On Behalf Of Richard Megginson > Sent: Tuesday, November 14, 2006 10:49 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: Host based ACI > > Greg Hetrick wrote: > > I am trying to implement host based ACI for either users or groups. > > Basic question can you acheive the same results as using the host ACI > > as you would with host attributes per user. > > > > I am trying to find a way not to specifically include each host in > > each user that needs access to every host or multiple hosts. > > > > Is it possible to add Host based ACI to a group and have the members > > of that group be granted access to only those specific hosts? Say for > > example having a group for admins with every host and adding users to > > that group thus giving them access to all hosts, same with a > > development group with only access to development hosts. > > > > Any direction that you can give would be much appreciated. I have > > attempted to setup ACIs for a particular user to a single host, but it > > doesn't appear that it is working, seems like I am missing either a > > client side LDAP setting or an Attribute on the user to handle the > > ACI. I was able to setup host based access using the host attribute > > per user, that just seems tedious. > I don't think you want to use ACIs for this. You need something that > works on the client side - PAM/NSS/Posix - that the client side > understands and enforces. ACIs are really only useful to enforce server > side rules, unless the client has explicit knowledge that relationships > modeled in LDAP apply to the client side as well (PAM/NSS do not). > > You could implement Role Based Attributes using the "host" attribute if > the following criteria are met: > 1) You can define your groups using the Roles feature, not e.g. posix > groups. Fedora DS Role Based Attributes must use roles to define group > membership. > 2) PAM/NSS do not perform searches like (host=foo.bar.com) to determine > user access. Instead, PAM must perform searches like uid=loginname and > retrieve the host attribute of the user, and use that to determine access. > > See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a > description of how Class of Service works and how it can be used to > implement Role Based Attributes. > > If all else fails, you will probably have to use Netgroups - > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > > > Thanks, > > Greg > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
