[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] Re: Access control: ssh, kerberos, ldap



Jan-Frode Myklebust wrote:
On 2008-09-26, John Summerfield <debian herakles homelinux org> wrote:
Jan-Frode Myklebust wrote:
On 2008-09-25, John Summerfield <debian herakles homelinux org> wrote:
Almost certainly I've missed something, but isn't PAM supposed to be the glue that ties applications such as sudo to authentication facilities such as LDAP?
You're missing that the point is to have sudo-configuration in LDAP, not
just authentication. So one central place to manage the "sudoers" for all
your hosts.
d) control who can gain root on a certain box only
Point D requires a local configuration.

It probably depends on what you mean by "gain", but if you can live
with gaining it trough sudo, it doesn't require any local configuration
per host.

    sudoUser: @u_sysadmin_netgroup
    sudoHost: @some_host_netgroup
    sudoCommand: ALL

or more specific to allow "john" to execue /bin/su on the machine named hostname.example.com:

    sudoUser: john
    sudoHost: hostname.example.com
    sudoCommand: /bin/su


Point C can be addressed with a local group specification, with the group's membership defined group wide in LDAP.

I don't see why you would want both a local group specification, and
then membership defined group wide in LDAP. And wouldn't those cancel each other out ?

If the network (or LDAP server) is down?


A golden local configuration that's deployed on the box, and then customised to cover point D seems close to what's wanted.

I would suggest to distribute your /etc/security/access.conf globally.
No local per host configurations. You would of course sometimes have

That might be appropriate in your environment, but I would not assume that's universally so. Imagine I'm BigCorp Global Servers, deploying virtual servers for Dept of Spying, Dept of Having a good time. Likely there will be common features, some unique to each.

This might be extreme, but that's so as to illustrate the point that different organisations and different users supported by those organisations may be very different.

to update it (globally), but quite seldom.

    http://directory.fedoraproject.org/wiki/Howto:Netgroups

This doesn't address deploying changed rules for groups, and in particular a new group with new rules, but that's not necessarily a problem for everyone.

If you keep your sudo rules in ldap, there's no need to "deploy"
changed rules. They're effective immediately once implemented in the
ldap directory.

I won't assume that's feasible for everyone. On Windows (AD), I do sometimes need to use the local administrator account.

--

Cheers
John

-- spambait
1aaaaaaa coco merseine nu  Z1aaaaaaa coco merseine nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]