Re: Server-Side ACLs for pam_ldap logins.

[Dan Cox <dan@xxxxxxx>]

I suppose I could put something together.. are you talking about 
something from the ground up like setting up nss_ldap, adding entries 
into LDAP, etc. or assume some of the prerequisites are in place? Also 
I'm assuming some short example usages of the tools I've mentioned?

Dan-

Jason Hane wrote:

> I second that.  Dan if you can provide any resources you used to set up
> your netgroups I would hail at your feet.  I've been playing with
> netgroups unsuccessfully for the past month and a half and haven't been
> able to get it to work.  All my clients are RedHat ES 3&4.
>
> -----Original Message-----
> From: fedora-directory-users-bounces@xxxxxxxxxx
> [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Richard
> Megginson
> Sent: Tuesday, January 03, 2006 4:06 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re:  Server-Side ACLs for pam_ldap
> logins.
>
> This looks very interesting and useful.  Would you mind writing up
> something I can post on the Fedora DS wiki?  Don't worry about
> formatting, spelling, etc.  I can fix that up.
>
> Dan Cox wrote:
>
>  
>
> > As an alternative, I've used the ldap/netgroup integration for many 
> > years and it seems the cleanest way of doing it when used in 
> > conjunction with pam's access.conf. It allows me to push the same 
> > /etc/passwd and /etc/security/access.conf to all machines on the 
> > network via something like CFEngine.
> >
> > The access.conf consists of something like (allow all QA users access 
> > to QA systems):
> > + : @QA@@QAServers : ALL
> >
> > Then I just add or remove the user or machine in the ldap netgroup 
> > entry. The real power with using ldap based netgroups is when you 
> > realize all of the services that can consume netgroup information, 
> > unlike the simple user based host attribute. For example, you can push
> >    
>
>  
>
> > a global /etc/sudoers and specify certain groups of users can run 
> > certain commands on particular groups of machines all on one line.
> > CFEngine itself can query netgroups to know what config files to push,
> >    
>
>  
>
> > tools like dsh (distributed ssh) can use netgroups as machine targets 
> > for commands, etc. I've administered some very large networks of 
> > machines with these tools and it makes it very easy to control.
> >
> > Dan-
> >
> > Jason Hane wrote:
> >
> >    
> >
> > > I had a similar question a few weeks ago.  I wanted to be able to 
> > > assign a list of users access to only a specific number of computers.
> > >      
>
>  
>
> > > This is the response I got from Gary Tay:
> > >
> > > FDS is very similar to SUN ONE DS5.2, I think netgroup (+@netgroupXXX
> > >      
>
>  
>
> > > in /etc/passwd and /etc/shadow and "compat" keyword in 
> > > /etc/nsswitch.conf) LDAP maps could be setup to achieve what you 
> > > want, it has been used by many DS5.2 administrators
> > >
> > > See:
> > > http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O
> > > pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
> > > Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native 
> > > LDAP Clients (i.e. controlling user access to host using netgroup 
> > > LDAP maps)
> > >
> > > Also see:
> > > http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238
> > > 46#
> > > 223846
> > > Configuring LDAP netgroups
> > > Gary
> > > -----Original Message-----
> > > From: fedora-directory-users-bounces@xxxxxxxxxx
> > > [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of 
> > > Michael Montgomery
> > > Sent: Tuesday, January 03, 2006 1:35 PM
> > > To: General discussion list for the Fedora Directory server project.
> > > Subject: Re:  Server-Side ACLs for pam_ldap 
> > > logins.
> > >
> > > Thanks for the response.  I'll read up on this, and see if I can get 
> > > this working.
> > >
> > > On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
> > >
> > >
> > >      
> > >
> > > > Michael Montgomery wrote:
> > > >
> > > >  
> > > >
> > > >        
> > > >
> > > > > I do agree that this is closer to what I'm looking for, but the 
> > > > > first
> > > > >    
> > > > >          
> > >
> > >
> > >      
> > >
> > > > > problem I see is that I wanted to allow Groups of people to login 
> > > > > to Groups of servers like:
> > > > >
> > > > > cn=www,ou=Group,dc=example,dc=com  is a group of www servers.
> > > > > cn=Unix,ou=Group,dc=example,dc=com  is a group of Unix users.
> > > > >
> > > > > So basically, on the people in the Unix group, can login to the www
> > > > >          
>
>  
>
> > > > > servers, and so forth.
> > > > >
> > > > >
> > > > >    
> > > > >          
> > > > Right.  The host attribute is per user.  You could set up a Roles 
> > > > for your users, and use Class of Service to automatically add the 
> > > > host attribute to the role members.
> > > >  
> > > >        
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > >
> > >      
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >    
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users