RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control

On Sat, 2012-09-01 at 15:02 +0200, Richard Pijnenburg wrote:
> Would this case be useful?
> 1. If you are in the allow group you can access the system.
> 2. If you are not in the allow group you must have the host entry to 
> access it.

The above should be possible but I think you would have to have a
nslcd.conf file per group of machines. The nslcd.conf manual page has a
nice example of how to do the second thing.

> My goal is to do as much as possible in ldap it self.

You will have to do some configuring on the machines itself because you
need to specify which group a machine belongs to.

All the rest you should be able to configure in LDAP. One way of doing
it would be to have a hostGroup attribute per user that specifies the
groups of hosts that a user has access to. You would then need something


That would allow any user that has either the "MYHOSTGROUP" or "*" value
or have the current hostname as host value (or host value "*") access to
the machine.

If you had a hostgroup object with userMember attributes pointing to
users and hostMember attributes pointing to hostnames it would be
something like the following. It would be tricky to combine this with a
host attribute though.


Hope this helps,

-- arthur - - --
To unsubscribe send an email to or see