Re: Fine grained access control
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Fine grained access control
- From: Richard Pijnenburg <richard [at] softwaredev.nl>
- To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: Fine grained access control
- Date: Tue, 18 Sep 2012 11:58:04 +0200
On 2012-09-06 00:04, Richard Pijnenburg wrote:
On 2012-09-05 23:23, Arthur de Jong wrote:
On Tue, 2012-09-04 at 00:40 +0200, Richard Pijnenburg wrote:
The cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com is the group
then
i want to use. with ldapsearch -x -b
"cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com" i get the list
like
this:
dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod
[...]
member: uid=testuser1,ou=people,dc=ispavailability,dc=com
member: uid=testuser2,ou=people,dc=ispavailability,dc=com
member: uid=extuser1,ou=people,dc=ispavailability,dc=com
member: uid=extuser2,ou=people,dc=ispavailability,dc=com
I guess this should be something like:
pam_authz_search (&(objectClass=groupOfURLs)(cn=prod)(member=$dn))
With pam_authz_search you can't currently specify the search base
and
the default search base is used. So you have to make your filter
specific enough to only match the object you want.
The member=$dn would ensure that only members for the logged-in user
should be matched.
You could combine this to allow users that have a host attribute
access
regardless of the group they are in:
pam_authz_search
(|(&(objectClass=groupOfURLs)(cn=prod)(member=$dn))(&(objectClass=posixAccount)(uid=$username)(host=$hostname)))
It's a bit long and I hope I got the parenthesis right.
Hi Arthur,
I'll give it a try and let you know.
Thank you very much for your time :-)
Cheers.
Hi Arthur,
Finally had time to test it out.
First did a ldapsearch based on a part of the search string:
ldapsearch -x
'(&(objectClass=groupOfURLs)(cn=prod)(member=uid=richard,ou=people,dc=ispavailability,dc=com))'
And i get nothing back.
If i take out the member part i get this:
ldapsearch -x '(&(objectClass=groupOfURLs)(cn=prod))'
# extended LDIF
#
# LDAPv3
# base <dc=ispavailability,dc=com> (default) with scope subtree
# filter: (&(objectClass=groupOfURLs)(cn=prod))
# requesting: ALL
#
# prod, isp, acl, ispavailability.com
dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod acl
cn: prod
memberURL:
ldap:///cn=sysadmin,ou=isp,ou=groups,dc=ispavailability,dc=com?memb
er?sub?
member: uid=richard,ou=people,dc=ispavailability,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Any idea what im doing wrong?
Cheers.
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
- Re: Fine grained access control, (continued)