I''m wondering - can I use something like netgroups in the LDAP
host-based ("host" attribute) for access restriction? I have over 1000
servers and there is no way I can list every combination of user/host
explicity.
I have looked at pam_access with LDAP netgroups, which is great but
there is one crucial problem - if a user needs temporary access for
example to a certain machine and this falls outside of my netgroup
definitions then there seems to be no way to allow specific access using
pam_access and /etc/security/access.conf, without having to push out
over 1000 new copies of this file. I need to be able to grant special
access like this on the LDAP server. The only thing I can think of is
this in access.conf:
+ @special@@special : ALL
where the "special" netgroup contains nisnetgroup triples like
(user,machine,)
Normally, you don''t use both fields in a netgroup triple but this works
fine in access.conf because PAM uses the user part when the netgroup is
used in the user position of the user@host <mailto:user@host> field and
uses the machine part when the netgroup is in the "host" position. I
thought this was really nice until I realised that this means that if
the "special" netgroup contains several entries like:
(user1,machine1)
(user2,machine2)
Then user2 also gets access to machine1 and user1 gets access to machine
2 because PAM doesn''t understand that these netgroup entries are
supposed to be kept together - it just parses the user and machine parts
completely seperately.
I just need to have one entry in access.conf that will cover
special-case creation on the LDAP server but it doesn''t seem to be
possible, hence I am now looking at the LDAP-based host access thing.
--
Philip Kime
NOPS Systems Architect
310 401 0407
Mike Jackson
2006-Jul-13 20:35 UTC
Re: [Fedora-directory-users] Host-based access restrictions
Philip Kime wrote:> I''m wondering - can I use something like netgroups in the LDAP > host-based ("host" attribute) for access restriction? I have over 1000 > servers and there is no way I can list every combination of user/host > explicity. >Hi Phil, You could easily accomplish what you are after by designing and writing a pre-authentication plugin for FDS, which parses the data structure you define in the "host" or other attribute of your choice. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting