I second that. Dan if you can provide any resources you used to set up your netgroups I would hail at your feet. I've been playing with netgroups unsuccessfully for the past month and a half and haven't been able to get it to work. All my clients are RedHat ES 3&4. -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Richard Megginson Sent: Tuesday, January 03, 2006 4:06 PM To: General discussion list for the Fedora Directory server project. Subject: Re: Server-Side ACLs for pam_ldap logins. This looks very interesting and useful. Would you mind writing up something I can post on the Fedora DS wiki? Don't worry about formatting, spelling, etc. I can fix that up. Dan Cox wrote: > > As an alternative, I've used the ldap/netgroup integration for many > years and it seems the cleanest way of doing it when used in > conjunction with pam's access.conf. It allows me to push the same > /etc/passwd and /etc/security/access.conf to all machines on the > network via something like CFEngine. > > The access.conf consists of something like (allow all QA users access > to QA systems): > + : @QA@@QAServers : ALL > > Then I just add or remove the user or machine in the ldap netgroup > entry. The real power with using ldap based netgroups is when you > realize all of the services that can consume netgroup information, > unlike the simple user based host attribute. For example, you can push > a global /etc/sudoers and specify certain groups of users can run > certain commands on particular groups of machines all on one line. > CFEngine itself can query netgroups to know what config files to push, > tools like dsh (distributed ssh) can use netgroups as machine targets > for commands, etc. I've administered some very large networks of > machines with these tools and it makes it very easy to control. > > Dan- > > Jason Hane wrote: > >> I had a similar question a few weeks ago. I wanted to be able to >> assign a list of users access to only a specific number of computers. >> This is the response I got from Gary Tay: >> >> FDS is very similar to SUN ONE DS5.2, I think netgroup (+@netgroupXXX >> in /etc/passwd and /etc/shadow and "compat" keyword in >> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you >> want, it has been used by many DS5.2 administrators >> >> See: >> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O >> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm >> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native >> LDAP Clients (i.e. controlling user access to host using netgroup >> LDAP maps) >> >> Also see: >> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 >> 46# >> 223846 >> Configuring LDAP netgroups >> Gary >> -----Original Message----- >> From: fedora-directory-users-bounces@xxxxxxxxxx >> [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of >> Michael Montgomery >> Sent: Tuesday, January 03, 2006 1:35 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: Server-Side ACLs for pam_ldap >> logins. >> >> Thanks for the response. I'll read up on this, and see if I can get >> this working. >> >> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote: >> >> >>> Michael Montgomery wrote: >>> >>> >>> >>>> I do agree that this is closer to what I'm looking for, but the >>>> first >>>> >>> >> >> >> >>>> problem I see is that I wanted to allow Groups of people to login >>>> to Groups of servers like: >>>> >>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers. >>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. >>>> >>>> So basically, on the people in the Unix group, can login to the www >>>> servers, and so forth. >>>> >>>> >>>> >>> >>> Right. The host attribute is per user. You could set up a Roles >>> for your users, and use Class of Service to automatically add the >>> host attribute to the role members. >>> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
