There are other options...
3)
ssh logingroup. Create supplementary posix groups, assign users to those
groups, tell the ssh server only to allow those groups.
pam_filter <filter>
Specifies a filter to use when retrieving user information.
The
user entry must match the attribute value assertion
of
(pam_login_attribute=login_name) as well as any filter
specified
here. There is no default for this option.
pam_groupdn <groupdn>
Specifies the distinguished name of a group to which a user
must
belong for logon authorization to succeed.
pam_member_attribute
<attribute> Specifies the attribute to use when testing a
user?s
membership of a group specified in the pam_groupdn option.
I used pam_groupdn. Very effective. I had a default login group that my
kickstart creates. Then cluster by cluster i could create other objects for
specific login groups
2010/5/11 Brandon Price <bprice at wimba.com>
> I have found 2 methods for allowing individual users, or groups access to
> certain hosts via the directory server. (document link<http://docs.google.com/viewer?a=v&q=cache:RzrjRqKNyacJ:www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf+host+groups+redhat+directory+server&hl=en&gl=us&pid=bl&srcid=ADGEESjBSnH6fzg3FnIKNBbXOK0OsnzZf1T7N0vfyeeQcI9iwbhmV8tt1nzPUqrn_Bhm86XUuz_Z6jH3b-GkDKGxbi_VBpfSV6TR_5sCxpTLu9rlptyUH9bwCt7FSUnpm93rtHRXiKAy&sig=AHIEtbTVbKKeylWYyLqgjDG83y1_V2r60g>
> )
>
> *1. the host attribute *
> setup:
> on server: the host attribute can be defined after adding a user, it must
> list each host by fqdn that the user has access to
> on client: configure to check for the host attribute in the ldap.conf
>
> pros:
> +simple
> cons:
> -does not scale, if we add a host we then have to go and add that host to
> each allowed user, management would be time consuming as users, or hosts
> grow
>
>
> *2. define groups of users, and systems in directory server by
> using nisNetgroupTriple attribute *
> setup:
> on server: definition of the host, and user groups in the ldap server
> via nisNetgroupTriple
> on client: configure pam in /etc/pam/system-auth to check if user belongs
> to approved user group & system belongs to approved system group
> on client: configure pam_group module in /etc/security/group.conf
>
> pros:
> +scales
> cons:
> -not as simple, uses an old beast (NIS)
> -NIS adds an additional layer of complexity and points of failure
> -doesn't allow me to grant a single user auth on a single system (if even
> temporarily)
>
>
> Is there a third better option? Any suggestions or links to documentation
> would be highly appreciated. Thank you for your time.
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20100511/5f90bde9/attachment.html
