Hello all, At my current job the time has come to unify our LDAP infrastructure into one tree (preferably). The basics are working but we are not sure how to restrict which users can log into which machines. What we would like is for everyone in the (for example) "infra" group to log into all machines while people in the "development" group can only log into development servers. From an initial Google my options seem to be: * LDAP based netgroups * OpenSSH - AllowGroups, DenyGroups * PAM - mod_access Does anyone have any real world, in the trenches experience they would be willing to share? I would like to know which is the most maintainable and easy to hand-over to more junior admins. Thanks, Fred.
Friedrich Clausen wrote:> Does anyone have any real world, in the trenches experience they would > be willing to share? I would like to know which is the most > maintainable and easy to hand-over to more junior admins. >The way we did this was, we have an access.conf file that is automatically copied to every machine via a cron job. To give a netgroup access, you just make the change to the file in subversion, and it's automatically propagated a few minutes later. It's kind of hacky, but it does work. --Russell
Seemingly Similar Threads
- [Bug 999] AllowGroups ,DenyGroups failed to report hostname
- [Bug 2292] New: sshd_config(5): DenyUsers, AllowUsers, DenyGroups, AllowGroups should actually tell how the evaluation order matters
- [Bug 1690] New: AllowUsers and DenyGroups directives are not parsed in the order specified
- AllowUsers "logic" and failure to indicate bad configuration
- [Bug 1298] Use of Allow/DenyGroups leads to slow login