I am trying to implement host based ACI for either users or groups. Basic question can you acheive the same results as using the host ACI as you would with host attributes per user. I am trying to find a way not to specifically include each host in each user that needs access to every host or multiple hosts. Is it possible to add Host based ACI to a group and have the members of that group be granted access to only those specific hosts? Say for example having a group for admins with every host and adding users to that group thus giving them access to all hosts, same with a development group with only access to development hosts. Any direction that you can give would be much appreciated. I have attempted to setup ACIs for a particular user to a single host, but it doesn''t appear that it is working, seems like I am missing either a client side LDAP setting or an Attribute on the user to handle the ACI. I was able to setup host based access using the host attribute per user, that just seems tedious. Thanks, Greg
Greg Hetrick wrote:> I am trying to implement host based ACI for either users or groups. > Basic question can you acheive the same results as using the host ACI > as you would with host attributes per user. > > I am trying to find a way not to specifically include each host in > each user that needs access to every host or multiple hosts. > > Is it possible to add Host based ACI to a group and have the members > of that group be granted access to only those specific hosts? Say for > example having a group for admins with every host and adding users to > that group thus giving them access to all hosts, same with a > development group with only access to development hosts. > > Any direction that you can give would be much appreciated. I have > attempted to setup ACIs for a particular user to a single host, but it > doesn''t appear that it is working, seems like I am missing either a > client side LDAP setting or an Attribute on the user to handle the > ACI. I was able to setup host based access using the host attribute > per user, that just seems tedious.I don''t think you want to use ACIs for this. You need something that works on the client side - PAM/NSS/Posix - that the client side understands and enforces. ACIs are really only useful to enforce server side rules, unless the client has explicit knowledge that relationships modeled in LDAP apply to the client side as well (PAM/NSS do not). You could implement Role Based Attributes using the "host" attribute if the following criteria are met: 1) You can define your groups using the Roles feature, not e.g. posix groups. Fedora DS Role Based Attributes must use roles to define group membership. 2) PAM/NSS do not perform searches like (host=foo.bar.com) to determine user access. Instead, PAM must perform searches like uid=loginname and retrieve the host attribute of the user, and use that to determine access. See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a description of how Class of Service works and how it can be used to implement Role Based Attributes. If all else fails, you will probably have to use Netgroups - http://directory.fedora.redhat.com/wiki/Howto:Netgroups> > Thanks, > Greg > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
I''m doing this by setting the pam_filter attribute on each server in my /etc/ldap.conf file. This means an entry like the following will only allow users which have a host attribute which contains either the server''s name or a wildcard. Just don''t forget that for authentication purposes, a user is invisible to a given host unless the account has both the host attribute and the proper server name. pam_filter |(host=server1)(host=\*) Cheers, Greg Copeland> -----Original Message----- > From: fedora-directory-users-bounces@redhat.com[mailto:fedora-directory-> users-bounces@redhat.com] On Behalf Of Richard Megginson > Sent: Tuesday, November 14, 2006 10:49 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Host based ACI > > Greg Hetrick wrote: > > I am trying to implement host based ACI for either users or groups. > > Basic question can you acheive the same results as using the hostACI> > as you would with host attributes per user. > > > > I am trying to find a way not to specifically include each host in > > each user that needs access to every host or multiple hosts. > > > > Is it possible to add Host based ACI to a group and have the members > > of that group be granted access to only those specific hosts? Sayfor> > example having a group for admins with every host and adding usersto> > that group thus giving them access to all hosts, same with a > > development group with only access to development hosts. > > > > Any direction that you can give would be much appreciated. I have > > attempted to setup ACIs for a particular user to a single host, butit> > doesn''t appear that it is working, seems like I am missing either a > > client side LDAP setting or an Attribute on the user to handle the > > ACI. I was able to setup host based access using the host attribute > > per user, that just seems tedious. > I don''t think you want to use ACIs for this. You need something that > works on the client side - PAM/NSS/Posix - that the client side > understands and enforces. ACIs are really only useful to enforceserver> side rules, unless the client has explicit knowledge thatrelationships> modeled in LDAP apply to the client side as well (PAM/NSS do not). > > You could implement Role Based Attributes using the "host" attributeif> the following criteria are met: > 1) You can define your groups using the Roles feature, not e.g. posix > groups. Fedora DS Role Based Attributes must use roles to definegroup> membership. > 2) PAM/NSS do not perform searches like (host=foo.bar.com) todetermine> user access. Instead, PAM must perform searches like uid=loginnameand> retrieve the host attribute of the user, and use that to determineaccess.> > See http://directory.fedora.redhat.com/wiki/Howto:ClassOfService for a > description of how Class of Service works and how it can be used to > implement Role Based Attributes. > > If all else fails, you will probably have to use Netgroups - > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > > > Thanks, > > Greg > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users