Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Richard Pijnenburg <richard [at] softwaredev.nl>
To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: Fine grained access control
Date: Tue, 04 Sep 2012 00:40:30 +0200

On 2012-09-03 21:58, Arthur de Jong wrote:

On Sun, 2012-09-02 at 03:45 +0200, Richard Pijnenburg wrote:

I've worked with the pam_groupdn in pam_ldap.conf to specify thegroup

it has to be in. I've build that group up with 'groupOfURLs' to
dynamically combine  other groups into 1 group.
The result of that search returns a list of dn's of the users. (
member: uid=user,ou=people,dc=..... )
Im wondering how i can transform that functionality into the
pam_authz_search way.


Can you give an example of a group as LDIF snippet?

I don't think nested groups can be easily done with pam_authz_searchbut

anything that ldapsearch can do pam_authz_search also probably does.



Hi Arthur,

Hereby the ldif part.

-----

dn: cn=siteops,ou=isp,ou=groups,dc=ispavailability,dc=com
objectClass: top
objectClass: groupOfNames
cn: siteops
description: SiteOps
member: uid=testuser1,ou=people,dc=ispavailability,dc=com


dn: cn=pd,ou=isp,ou=groups,dc=ispavailability,dc=com
objectClass: top
objectClass: groupOfNames
cn: pd
description: Product Development
member: uid=testuser2,ou=people,dc=ispavailability,dc=com


dn: cn=extcompany,ou=isp,ou=groups,dc=ispavailability,dc=com
objectClass: top
objectClass: groupOfNames
cn: extcompany
description: External company name
member: uid=extuser1,ou=people,dc=ispavailability,dc=com
member: uid=extuser2,ou=people,dc=ispavailability,dc=com


dn: ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: organizationalUnit
ou: isp


dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod

memberURL:ldap:///cn=siteops,ou=isp,ou=groups,dc=ispavailability,dc=com?member?sub?memberURL:ldap:///cn=pd,ou=isp,ou=groups,dc=ispavailability,dc=com?member?sub?memberURL:ldap:///cn=extcompany,ou=isp,ou=groups,dc=ispavailability,dc=com?member?sub?


-----

THe cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com is the group then iwant to use.with ldapsearch -x -b "cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com"i get the list like this:


-----

# prod, isp, acl, ispavailability.com
dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod

memberURL:ldap:///cn=siteops,ou=isp,ou=groups,dc=ispavailability,dc=com?membe

 r?sub?

memberURL:ldap:///cn=pd,ou=isp,ou=groups,dc=ispavailability,dc=com?member?sub

memberURL:ldap:///cn=extcompany,ou=isp,ou=groups,dc=ispavailability,dc=com?me

 mber?sub?
member: uid=testuser1,ou=people,dc=ispavailability,dc=com
member: uid=testuser2,ou=people,dc=ispavailability,dc=com
member: uid=extuser1,ou=people,dc=ispavailability,dc=com
member: uid=extuser2,ou=people,dc=ispavailability,dc=com

-----

in pam_ldap.conf i use the 2 following config statements to limitaccess based on the group:


-----

pam_groupdn cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
pam_member_attribute member

-----


hope it all makes sense :-)

Thanks

Richard
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Re: Fine grained access control, (continued)

Prev by Date: Re: Fine grained access control
Next by Date: Re: Fine grained access control
Previous by thread: Re: Fine grained access control
Next by thread: Re: Fine grained access control