Re: Authorization Support

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Authorization Support
Date: Sat, 27 Feb 2010 13:58:43 +0100

On Fri, 2010-02-26 at 19:23 -0600, Chris Breneman wrote:
> From looking at it, it doesn't seem like nss-pam-ldapd supports LDAP
> authorization via the authorizedService and host attributes, as the
> PADL PAM LDAP module does.  My organization makes extensive use of
> these attributes, and I was wondering if it might be useful for me to
> write support for these into nss-pam-ldapd.

Currently there are no authorisation checks in nss-pam-ldapd. I have
been thinking a bit about this and I want to implement something a
little more flexible than a simple attribute check.

> Also, my organization makes use of a custom attribute,
> authorizedHostService, to provide more fine-grained authorization
> control.  We have custom modifications to the PADL libpam-ldap module
> to support this.  If I were to write support for this into
> nss-pam-ldapd, could it be included in the mainstream code, or would I
> have to maintain a separate fork for my organization?

I welcome any patch that is generally usable, however I am thinking of
implementing something like the following (this is the first basic idea,
nothing final here yet):

As an authorisation check perform a custom search (after normal
authentication). If the search yields any results access is granted,
otherwise access is denied.

This search may be parametrised with attributes of the LDAP user entry
from the authentication phase (e.g. DN, uid, etc.) and session specific
values (hostname, service, ruser, rhost, tty, etc.).

With this you should be able to do something like:

authzsearch 
(&(objectClass=posixAccount)(uid=$uid)(|(authorizedService=$service)(!authorizedService=*)))

and most other feasible authorisation checks (perhaps extended with an
authzsearchbase). The idea is to re-use the variable expansion that is
available for attribute mapping.

Note that there is no code yet for the above.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

Authorization Support, Chris Breneman
- Re: Authorization Support, Jan Schampera
- Re: Authorization Support, Arthur de Jong

Prev by Date: Re: Authorization Support
Next by Date: Re: Authorization Support
Previous by thread: Re: Authorization Support
Next by thread: Re: Authorization Support