Dan Cox wrote:
I suppose I could put something together.. are you talking about something from the ground up like setting up nss_ldap, adding entries into LDAP, etc. or assume some of the prerequisites are in place?
If there is already sufficient documentation on setting up nss_ldap or other prerequisites, then just a pointer to that will be fine.
Also I'm assuming some short example usages of the tools I've mentioned?
Sure. At least on group based host access restriction, which seems to be the most asked for info.
Dan- Jason Hane wrote:I second that. Dan if you can provide any resources you used to set up your netgroups I would hail at your feet. I've been playing with netgroups unsuccessfully for the past month and a half and haven't been able to get it to work. All my clients are RedHat ES 3&4. -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Richard Megginson Sent: Tuesday, January 03, 2006 4:06 PM To: General discussion list for the Fedora Directory server project. Subject: Re: Server-Side ACLs for pam_ldap logins. This looks very interesting and useful. Would you mind writing up something I can post on the Fedora DS wiki? Don't worry about formatting, spelling, etc. I can fix that up. Dan Cox wrote:As an alternative, I've used the ldap/netgroup integration for many years and it seems the cleanest way of doing it when used in conjunction with pam's access.conf. It allows me to push the same /etc/passwd and /etc/security/access.conf to all machines on the network via something like CFEngine.The access.conf consists of something like (allow all QA users access to QA systems):+ : @QA@@QAServers : ALLThen I just add or remove the user or machine in the ldap netgroup entry. The real power with using ldap based netgroups is when you realize all of the services that can consume netgroup information, unlike the simple user based host attribute. For example, you can pusha global /etc/sudoers and specify certain groups of users can run certain commands on particular groups of machines all on one line.CFEngine itself can query netgroups to know what config files to push,tools like dsh (distributed ssh) can use netgroups as machine targets for commands, etc. I've administered some very large networks of machines with these tools and it makes it very easy to control.Dan- Jason Hane wrote:I had a similar question a few weeks ago. I wanted to be able to assign a list of users access to only a specific number of computers.This is the response I got from Gary Tay: FDS is very similar to SUN ONE DS5.2, I think netgroup (+@netgroupXXXin /etc/passwd and /etc/shadow and "compat" keyword in /etc/nsswitch.conf) LDAP maps could be setup to achieve what you want, it has been used by many DS5.2 administratorsSee: http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htmStep 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP Clients (i.e. controlling user access to host using netgroup LDAP maps)Also see: http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238 46# 223846 Configuring LDAP netgroups Gary -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx[mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Michael MontgomerySent: Tuesday, January 03, 2006 1:35 PM To: General discussion list for the Fedora Directory server project.Subject: Re: Server-Side ACLs for pam_ldap logins.Thanks for the response. I'll read up on this, and see if I can get this working.On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:Michael Montgomery wrote:I do agree that this is closer to what I'm looking for, but the firstproblem I see is that I wanted to allow Groups of people to login to Groups of servers like:cn=www,ou=Group,dc=example,dc=com is a group of www servers. cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users. So basically, on the people in the Unix group, can login to the wwwservers, and so forth.Right. The host attribute is per user. You could set up a Roles for your users, and use Class of Service to automatically add the host attribute to the role members.-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
