I have found 2 methods for allowing individual users, or groups access to certain hosts via the directory server. (document link) 1. the host attribute setup: on server: the host attribute can be defined after adding a user, it must list each host by fqdn that the user has access to on client: configure to check for the host attribute in the ldap.conf pros: +simple cons: -does not scale, if we add a host we then have to go and add that host to each allowed user, management would be time consuming as users, or hosts grow 2. define groups of users, and systems in directory server by using nisNetgroupTriple attribute setup: on server: definition of the host, and user groups in the ldap server via nisNetgroupTriple on client: configure pam in /etc/pam/system-auth to check if user belongs to approved user group & system belongs to approved system group on client: configure pam_group module in /etc/security/group.conf pros: +scales cons: -not as simple, uses an old beast (NIS) -NIS adds an additional layer of complexity and points of failure -doesn't allow me to grant a single user auth on a single system (if even temporarily) |
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
