As an alternative, I've used the ldap/netgroup integration for many
years and it seems the cleanest way of doing it when used in conjunction
with pam's access.conf. It allows me to push the same /etc/passwd and
/etc/security/access.conf to all machines on the network via something
like CFEngine.
The access.conf consists of something like (allow all QA users access to
QA systems):
+ : @QA@@QAServers : ALL
Then I just add or remove the user or machine in the ldap netgroup
entry. The real power with using ldap based netgroups is when you
realize all of the services that can consume netgroup information,
unlike the simple user based host attribute. For example, you can push a
global /etc/sudoers and specify certain groups of users can run certain
commands on particular groups of machines all on one line. CFEngine
itself can query netgroups to know what config files to push, tools like
dsh (distributed ssh) can use netgroups as machine targets for commands,
etc. I've administered some very large networks of machines with these
tools and it makes it very easy to control.
Dan-
Jason Hane wrote:
I had a similar question a few weeks ago. I wanted to be able to assign
a list of users access to only a specific number of computers. This is
the response I got from Gary Tay:
FDS is very similar to SUN ONE DS5.2, I think netgroup (+@netgroupXXX in
/etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf)
LDAP maps could be setup to achieve what you want, it has been used by
many DS5.2 administrators
See:
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open
LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP
Clients
(i.e. controlling user access to host using netgroup LDAP maps)
Also see:
http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846#
223846
Configuring LDAP netgroups
Gary
-----Original Message-----
From: fedora-directory-users-bounces@xxxxxxxxxx
[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Michael
Montgomery
Sent: Tuesday, January 03, 2006 1:35 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: Server-Side ACLs for pam_ldap
logins.
Thanks for the response. I'll read up on this, and see if I can get
this working.
On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
Michael Montgomery wrote:
I do agree that this is closer to what I'm looking for, but the first
problem I see is that I wanted to allow Groups of people to login to
Groups of servers like:
cn=www,ou=Group,dc=example,dc=com is a group of www servers.
cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users.
So basically, on the people in the Unix group, can login to the www
servers, and so forth.
Right. The host attribute is per user. You could set up a Roles for
your users, and use Class of Service to automatically add the host
attribute to the role members.
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
