Re: [389-users] Do we have any suggestions for host level access controls?

Edward Capriolo <edlinuxguru@xxxxxxxxx> · Tue, 11 May 2010 14:16:17 -0400

There are other options...

3)
ssh logingroup. Create supplementary posix groups, assign users to those groups, tell the ssh server only to allow those groups.

   pam_filter <filter>
              Specifies a filter to use when retrieving user information.  The

              user   entry   must  match  the  attribute  value  assertion  of
              (pam_login_attribute=login_name) as well as any filter specified
              here. There is no default for this option.

     pam_groupdn <groupdn>
              Specifies the distinguished name of a group to which a user must
              belong for logon authorization to succeed.  pam_member_attribute
              <attribute> Specifies the attribute to use when testing a user’s

              membership of a group specified in the pam_groupdn option.

I used  pam_groupdn. Very effective. I had a default login group that my kickstart creates. Then cluster by cluster i could create other objects for specific login groups

2010/5/11 Brandon Price <bprice@xxxxxxxxx>

I have found 2 methods for allowing individual users, or groups access to certain hosts via the directory server. (document link)

1. the host attribute setup: 
on server: the host attribute can be defined after adding a user, it must list each host by fqdn that the user has access to
on client: configure to check for the host attribute in the ldap.conf 
pros:
	+simple
cons: 
	-does not scale, if we add a host we then have to go and add that host to each allowed user, management would be time consuming as users, or hosts grow 

2. define groups of users, and systems in directory server by using nisNetgroupTriple attribute 
setup:
on server: definition of the host, and user groups in the ldap server via nisNetgroupTriple
on client: configure pam in /etc/pam/system-auth to check if user belongs to approved user group & system belongs to approved system group 
on client: configure pam_group module in /etc/security/group.conf 

pros: 
	+scales 
cons: 
	-not as simple, uses an old beast (NIS) 
	-NIS adds an additional layer of complexity and points of failure
	-doesn't allow me to grant a single user auth on a single system (if even temporarily) 

Is there a third better option? Any suggestions or links to documentation would be highly appreciated. Thank you for your time. 

--

389 users mailing list

389-users@xxxxxxxxxxxxxxxxxxxxxxx

https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users