Re: Fine grained access control
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Fine grained access control
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Fine grained access control
- Date: Sat, 01 Sep 2012 17:23:24 +0200
On Sat, 2012-09-01 at 15:02 +0200, Richard Pijnenburg wrote:
> Would this case be useful?
>
> 1. If you are in the allow group you can access the system.
> 2. If you are not in the allow group you must have the host entry to
> access it.
The above should be possible but I think you would have to have a
nslcd.conf file per group of machines. The nslcd.conf manual page has a
nice example of how to do the second thing.
> My goal is to do as much as possible in ldap it self.
You will have to do some configuring on the machines itself because you
need to specify which group a machine belongs to.
All the rest you should be able to configure in LDAP. One way of doing
it would be to have a hostGroup attribute per user that specifies the
groups of hosts that a user has access to. You would then need something
like:
pam_authz_search
(&(objectClass=posixAccount)(uid=$username)(|(hostGroup=MYHOSTGROUP)(hostGroup=\\*)(host=$hostname)(host=$fqdn)(host=\\*)))
That would allow any user that has either the "MYHOSTGROUP" or "*" value
or have the current hostname as host value (or host value "*") access to
the machine.
If you had a hostgroup object with userMember attributes pointing to
users and hostMember attributes pointing to hostnames it would be
something like the following. It would be tricky to combine this with a
host attribute though.
pam_authz_search
(&(objectClass=groupOfHosts)(userMember=$dn)(|(hostMember=$hostname)(hostMember=$fqdn)))
Hope this helps,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
