lists.arthurdejong.org
RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control



On 2012-09-05 23:23, Arthur de Jong wrote:
On Tue, 2012-09-04 at 00:40 +0200, Richard Pijnenburg wrote:
The cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com is the group then
i want to use. with ldapsearch -x -b
"cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com" i get the list like
this:

dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod
[...]
member: uid=testuser1,ou=people,dc=ispavailability,dc=com
member: uid=testuser2,ou=people,dc=ispavailability,dc=com
member: uid=extuser1,ou=people,dc=ispavailability,dc=com
member: uid=extuser2,ou=people,dc=ispavailability,dc=com

I guess this should be something like:

pam_authz_search (&(objectClass=groupOfURLs)(cn=prod)(member=$dn))

With pam_authz_search you can't currently specify the search base and
the default search base is used. So you have to make your filter
specific enough to only match the object you want.

The member=$dn would ensure that only members for the logged-in user
should be matched.

You could combine this to allow users that have a host attribute access
regardless of the group they are in:

pam_authz_search

(|(&(objectClass=groupOfURLs)(cn=prod)(member=$dn))(&(objectClass=posixAccount)(uid=$username)(host=$hostname)))

It's a bit long and I hope I got the parenthesis right.

Hi Arthur,

I'll give it a try and let you know.
Thank you very much for your time :-)

Cheers.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/