[Fedora-directory-users] Host based ACI
Richard Megginson
rmeggins at redhat.com
Tue Nov 14 16:49:15 UTC 2006
Greg Hetrick wrote:
> I am trying to implement host based ACI for either users or groups.
> Basic question can you acheive the same results as using the host ACI
> as you would with host attributes per user.
>
> I am trying to find a way not to specifically include each host in
> each user that needs access to every host or multiple hosts.
>
> Is it possible to add Host based ACI to a group and have the members
> of that group be granted access to only those specific hosts? Say for
> example having a group for admins with every host and adding users to
> that group thus giving them access to all hosts, same with a
> development group with only access to development hosts.
>
> Any direction that you can give would be much appreciated. I have
> attempted to setup ACIs for a particular user to a single host, but it
> doesn't appear that it is working, seems like I am missing either a
> client side LDAP setting or an Attribute on the user to handle the
> ACI. I was able to setup host based access using the host attribute
> per user, that just seems tedious.
I don't think you want to use ACIs for this. You need something that
works on the client side - PAM/NSS/Posix - that the client side
understands and enforces. ACIs are really only useful to enforce server
side rules, unless the client has explicit knowledge that relationships
modeled in LDAP apply to the client side as well (PAM/NSS do not).
You could implement Role Based Attributes using the "host" attribute if
the following criteria are met:
1) You can define your groups using the Roles feature, not e.g. posix
groups. Fedora DS Role Based Attributes must use roles to define group
membership.
2) PAM/NSS do not perform searches like (host=foo.bar.com) to determine
user access. Instead, PAM must perform searches like uid=loginname and
retrieve the host attribute of the user, and use that to determine access.
See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a
description of how Class of Service works and how it can be used to
implement Role Based Attributes.
If all else fails, you will probably have to use Netgroups -
http://directory.fedora.redhat.com/wiki/Howto:Netgroups
>
> Thanks,
> Greg
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20061114/f8c95545/attachment.bin>
More information about the Fedora-directory-users
mailing list