Sean Carolan wrote: >> This allows to to control who has access to the systems directly from >> ldap. Add the entitlement and they have access. Remove the entitlement >> and their access is revoked. >> >> My $0.02 CDN >> > > Terry, this is perfect, just what I was looking for. I like being > able to control access from the LDAP server itself. > For what it's worth, our take on that from a slightly different angle was the group method I mentioned earlier -- since all our groups are in LDAP, adding a user to a particular group allows them access to the boxes associated with that group. For example, we might have a group called "db-ssh" that defines a user group allowed to access database servers. Then we just make sure DB hosts get "AllowGroups db-ssh" added to their SSH configs. Plopping a user into the db-ssh group in LDAP then gives that person access to all the boxes that group is allowed to access with one LDAP entry. We've found it a lot easier to manage than having to add an entry per host to user records, but then our servers tend to fall into easily-defined groups, which may not be the case for everyone, and the way we do it also relies on the only remote access to the box being over SSH.
