lists.arthurdejong.org
RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control



On Tue, 2012-09-04 at 00:40 +0200, Richard Pijnenburg wrote:
> The cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com is the group then
> i want to use. with ldapsearch -x -b
> "cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com" i get the list like
> this:
> 
> dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
> objectClass: groupOfURLs
> cn: prod
[...]
> member: uid=testuser1,ou=people,dc=ispavailability,dc=com
> member: uid=testuser2,ou=people,dc=ispavailability,dc=com
> member: uid=extuser1,ou=people,dc=ispavailability,dc=com
> member: uid=extuser2,ou=people,dc=ispavailability,dc=com

I guess this should be something like:

pam_authz_search (&(objectClass=groupOfURLs)(cn=prod)(member=$dn))

With pam_authz_search you can't currently specify the search base and
the default search base is used. So you have to make your filter
specific enough to only match the object you want.

The member=$dn would ensure that only members for the logged-in user
should be matched.

You could combine this to allow users that have a host attribute access
regardless of the group they are in:

pam_authz_search 
(|(&(objectClass=groupOfURLs)(cn=prod)(member=$dn))(&(objectClass=posixAccount)(uid=$username)(host=$hostname)))

It's a bit long and I hope I got the parenthesis right.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/