I'm wondering - can
I use something like netgroups in the LDAP host-based ("host" attribute) for
access restriction? I have over 1000 servers and there is no way I can list
every combination of user/host explicity.
I have looked at
pam_access with LDAP netgroups, which is great but there is one crucial problem
- if a user needs temporary access for example to a certain machine and this
falls outside of my netgroup definitions then there seems to be no way to allow
specific access using pam_access and /etc/security/access.conf, without having
to push out over 1000 new copies of this file. I need to be able to grant
special access like this on the LDAP server. The only thing I can think of is
this in access.conf:
+ @special@@special
: ALL
where the "special"
netgroup contains nisnetgroup triples like
(user,machine,)
Normally, you don't
use both fields in a netgroup triple but this works fine in access.conf because
PAM uses the user part when the netgroup is used in the user position of the
user@host field and uses the machine part
when the netgroup is in the "host" position. I thought this was really nice
until I realised that this means that if the "special" netgroup contains several
entries like:
(user1,machine1)
(user2,machine2)
Then user2 also gets
access to machine1 and user1 gets access to machine 2 because PAM doesn't
understand that these netgroup entries are supposed to be kept together - it
just parses the user and machine parts completely
seperately.
I just need to have
one entry in access.conf that will cover special-case creation on the LDAP
server but it doesn't seem to be possible, hence I am now looking at the
LDAP-based host access thing.
--
Philip Kime
NOPS Systems Architect
310 401 0407
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
