Re: Fine grained access control
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Fine grained access control
- From: Richard Pijnenburg <richard [at] softwaredev.nl>
- To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Fine grained access control
- Date: Sun, 02 Sep 2012 03:45:58 +0200
On 2012-09-01 17:23, Arthur de Jong wrote:
On Sat, 2012-09-01 at 15:02 +0200, Richard Pijnenburg wrote:
Would this case be useful?
1. If you are in the allow group you can access the system.
2. If you are not in the allow group you must have the host entry to
access it.
The above should be possible but I think you would have to have a
nslcd.conf file per group of machines. The nslcd.conf manual page has
a
nice example of how to do the second thing.
My goal is to do as much as possible in ldap it self.
You will have to do some configuring on the machines itself because
you
need to specify which group a machine belongs to.
All the rest you should be able to configure in LDAP. One way of
doing
it would be to have a hostGroup attribute per user that specifies the
groups of hosts that a user has access to. You would then need
something
like:
pam_authz_search
(&(objectClass=posixAccount)(uid=$username)(|(hostGroup=MYHOSTGROUP)(hostGroup=\\*)(host=$hostname)(host=$fqdn)(host=\\*)))
That would allow any user that has either the "MYHOSTGROUP" or "*"
value
or have the current hostname as host value (or host value "*") access
to
the machine.
If you had a hostgroup object with userMember attributes pointing to
users and hostMember attributes pointing to hostnames it would be
something like the following. It would be tricky to combine this with
a
host attribute though.
pam_authz_search
(&(objectClass=groupOfHosts)(userMember=$dn)(|(hostMember=$hostname)(hostMember=$fqdn)))
Hope this helps,
Hi Arthur,
Sorry to bother again.
I've been trying to build up the pam_authz_search but running into some
issues.
I've worked with the pam_groupdn in pam_ldap.conf to specify the group
it has to be in.
I've build that group up with 'groupOfURLs' to dynamically combine
other groups into 1 group.
The result of that search returns a list of dn's of the users. (
member: uid=user,ou=people,dc=..... )
Im wondering how i can transform that functionality into the
pam_authz_search way.
And yes, per server / group of servers i will need to have some
differences in the nslcd.conf but that's not a big issue ( using puppet
)
My main goal is to minimize the config file changes as much as possible
:-)
Thank you very much for your time.
Richard.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
