lists.arthurdejong.org
RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control

On 2012-08-30 23:25, Arthur de Jong wrote:

On Thu, 2012-08-30 at 21:51 +0200, Richard Pijnenburg wrote:
I'm looking for a way to have fine grained access control for user to 
servers.
With nss-pam-ldapd you can use the pam_authz_search option to specify a filter for the PAM module. With nss-pam-ldapd 0.8.9 the pam_authz_search 
option can be specified multiple times.

You could do something like:
pam_authz_search (&(objectClass=posixGroup)(cn=allowgroup)(memberUid=$uid)) pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=$hostname)) 

to require that the user that is logging in is a member of allowgroup
and the user has a host attribute with the value of the current
hostname. See the nslcd.conf manual page for more details.


Hi Arthur,

Thank you for the quick reply.
I am wondering about the scale-ability in this case.
We have 2500 servers and its gonna be difficult to have for example 1000 host entries for a user. ( some user even need to access all servers ) 
these 2500 servers are split up 10 different platforms.
Users of these platforms need to access all ( or most ) servers of their own platform. Sometimes user X needs to access certain machines from platform Y while he belongs to platform Z. 

Would this case be useful?

1. If you are in the allow group you can access the system.
2. If you are not in the allow group you must have the host entry to access it.
What i would like to avoid is to have enormous lists of host entries in users ( because that makes it harder to manage when servers are added / removed ) 
And avoid to modify the configurations on servers all the time.
My goal is to do as much as possible in ldap it self.

Thanks.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/