[Fedora-directory-users] Server-Side ACLs for pam_ldap logins.

Jason Hane HaneJ at gsicommerce.com
Tue Jan 3 21:10:39 UTC 2006 

I second that.  Dan if you can provide any resources you used to set up
your netgroups I would hail at your feet.  I've been playing with
netgroups unsuccessfully for the past month and a half and haven't been
able to get it to work.  All my clients are RedHat ES 3&4.

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 03, 2006 4:06 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
logins.

This looks very interesting and useful.  Would you mind writing up
something I can post on the Fedora DS wiki?  Don't worry about
formatting, spelling, etc.  I can fix that up.

Dan Cox wrote:

>
> As an alternative, I've used the ldap/netgroup integration for many 
> years and it seems the cleanest way of doing it when used in 
> conjunction with pam's access.conf. It allows me to push the same 
> /etc/passwd and /etc/security/access.conf to all machines on the 
> network via something like CFEngine.
>
> The access.conf consists of something like (allow all QA users access 
> to QA systems):
> + : @QA@@QAServers : ALL
>
> Then I just add or remove the user or machine in the ldap netgroup 
> entry. The real power with using ldap based netgroups is when you 
> realize all of the services that can consume netgroup information, 
> unlike the simple user based host attribute. For example, you can push

> a global /etc/sudoers and specify certain groups of users can run 
> certain commands on particular groups of machines all on one line.
> CFEngine itself can query netgroups to know what config files to push,

> tools like dsh (distributed ssh) can use netgroups as machine targets 
> for commands, etc. I've administered some very large networks of 
> machines with these tools and it makes it very easy to control.
>
> Dan-
>
> Jason Hane wrote:
>
>> I had a similar question a few weeks ago.  I wanted to be able to 
>> assign a list of users access to only a specific number of computers.

>> This is the response I got from Gary Tay:
>>
>> FDS is very similar to SUN ONE DS5.2, I think netgroup (+ at netgroupXXX

>> in /etc/passwd and /etc/shadow and "compat" keyword in 
>> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you 
>> want, it has been used by many DS5.2 administrators
>>
>> See:
>> http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O
>> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
>> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native 
>> LDAP Clients (i.e. controlling user access to host using netgroup 
>> LDAP maps)
>>
>> Also see:
>> http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238
>> 46#
>> 223846
>> Configuring LDAP netgroups
>> Gary
>> -----Original Message-----
>> From: fedora-directory-users-bounces at redhat.com
>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
>> Michael Montgomery
>> Sent: Tuesday, January 03, 2006 1:35 PM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap 
>> logins.
>>
>> Thanks for the response.  I'll read up on this, and see if I can get 
>> this working.
>>
>> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
>>  
>>
>>> Michael Montgomery wrote:
>>>
>>>   
>>>
>>>> I do agree that this is closer to what I'm looking for, but the 
>>>> first
>>>>     
>>>
>>
>>  
>>
>>>> problem I see is that I wanted to allow Groups of people to login 
>>>> to Groups of servers like:
>>>>
>>>> cn=www,ou=Group,dc=example,dc=com  is a group of www servers.
>>>> cn=Unix,ou=Group,dc=example,dc=com  is a group of Unix users.
>>>>
>>>> So basically, on the people in the Unix group, can login to the www

>>>> servers, and so forth.
>>>>
>>>>
>>>>     
>>>
>>> Right.  The host attribute is per user.  You could set up a Roles 
>>> for your users, and use Class of Service to automatically add the 
>>> host attribute to the role members.
>>>   
>>
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>  
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list