RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control

On 2012-09-01 17:23, Arthur de Jong wrote:
On Sat, 2012-09-01 at 15:02 +0200, Richard Pijnenburg wrote:
Would this case be useful?

1. If you are in the allow group you can access the system.
2. If you are not in the allow group you must have the host entry to
access it.

The above should be possible but I think you would have to have a
nslcd.conf file per group of machines. The nslcd.conf manual page has a
nice example of how to do the second thing.

My goal is to do as much as possible in ldap it self.

You will have to do some configuring on the machines itself because you
need to specify which group a machine belongs to.

All the rest you should be able to configure in LDAP. One way of doing
it would be to have a hostGroup attribute per user that specifies the
groups of hosts that a user has access to. You would then need something



That would allow any user that has either the "MYHOSTGROUP" or "*" value or have the current hostname as host value (or host value "*") access to
the machine.

If you had a hostgroup object with userMember attributes pointing to
users and hostMember attributes pointing to hostnames it would be
something like the following. It would be tricky to combine this with a
host attribute though.



Hope this helps,

Hi Arthur,

Sorry to bother again.
I've been trying to build up the pam_authz_search but running into some issues.

I've worked with the pam_groupdn in pam_ldap.conf to specify the group it has to be in. I've build that group up with 'groupOfURLs' to dynamically combine other groups into 1 group. The result of that search returns a list of dn's of the users. ( member: uid=user,ou=people,dc=..... ) Im wondering how i can transform that functionality into the pam_authz_search way.

And yes, per server / group of servers i will need to have some differences in the nslcd.conf but that's not a big issue ( using puppet ) My main goal is to minimize the config file changes as much as possible :-)

Thank you very much for your time.

To unsubscribe send an email to or see