Re: Fine grained access control
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Fine grained access control
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Fine grained access control
- Date: Wed, 05 Sep 2012 23:23:52 +0200
On Tue, 2012-09-04 at 00:40 +0200, Richard Pijnenburg wrote:
> The cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com is the group then
> i want to use. with ldapsearch -x -b
> "cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com" i get the list like
> this:
>
> dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
> objectClass: groupOfURLs
> cn: prod
[...]
> member: uid=testuser1,ou=people,dc=ispavailability,dc=com
> member: uid=testuser2,ou=people,dc=ispavailability,dc=com
> member: uid=extuser1,ou=people,dc=ispavailability,dc=com
> member: uid=extuser2,ou=people,dc=ispavailability,dc=com
I guess this should be something like:
pam_authz_search (&(objectClass=groupOfURLs)(cn=prod)(member=$dn))
With pam_authz_search you can't currently specify the search base and
the default search base is used. So you have to make your filter
specific enough to only match the object you want.
The member=$dn would ensure that only members for the logged-in user
should be matched.
You could combine this to allow users that have a host attribute access
regardless of the group they are in:
pam_authz_search
(|(&(objectClass=groupOfURLs)(cn=prod)(member=$dn))(&(objectClass=posixAccount)(uid=$username)(host=$hostname)))
It's a bit long and I hope I got the parenthesis right.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: Fine grained access control, (continued)
