Greg Hetrick wrote:
I am trying to implement host based ACI for either users or groups. Basic question can you acheive the same results as using the host ACI as you would with host attributes per user.I don't think you want to use ACIs for this. You need something that works on the client side - PAM/NSS/Posix - that the client side understands and enforces. ACIs are really only useful to enforce server side rules, unless the client has explicit knowledge that relationships modeled in LDAP apply to the client side as well (PAM/NSS do not).I am trying to find a way not to specifically include each host in each user that needs access to every host or multiple hosts.Is it possible to add Host based ACI to a group and have the members of that group be granted access to only those specific hosts? Say for example having a group for admins with every host and adding users to that group thus giving them access to all hosts, same with a development group with only access to development hosts.Any direction that you can give would be much appreciated. I have attempted to setup ACIs for a particular user to a single host, but it doesn't appear that it is working, seems like I am missing either a client side LDAP setting or an Attribute on the user to handle the ACI. I was able to setup host based access using the host attribute per user, that just seems tedious.
You could implement Role Based Attributes using the "host" attribute if the following criteria are met: 1) You can define your groups using the Roles feature, not e.g. posix groups. Fedora DS Role Based Attributes must use roles to define group membership. 2) PAM/NSS do not perform searches like (host=foo.bar.com) to determine user access. Instead, PAM must perform searches like uid=loginname and retrieve the host attribute of the user, and use that to determine access.
See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a description of how Class of Service works and how it can be used to implement Role Based Attributes.
If all else fails, you will probably have to use Netgroups - http://directory.fedora.redhat.com/wiki/Howto:Netgroups
Thanks, Greg -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users