Re: Granualar LDAP host access
- From: Keith Keller <kkeller-usenet@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 11 Jun 2007 10:42:17 -0700
On 2007-06-09, Colin Walls <colin@xxxxxxxxxxxxxxxxxxx> wrote:
I have a number of UNIX boxes (say S1, S2 and S3) and a number of users (say
U1, U2). I have set up an LDAP server and am in the later stages of putting
pam_ldap on each of the boxes. What I can't work out is how to allow U1 on
boxes S1 and S2, but not S3 while U2 can access S3 but not S1 or S2.
You can use the pam_access module to limit access to groups and/or
individual users; this can be used whether your users are local or
obtained from LDAP. For whatever reason my systems don't have the man
page for pam_access, but you should be able to find it (and man
access.conf) via Google. Your OS may also have a well-documented
skeleton access.conf file available in /etc/security/access.conf .
I have done this before, and it works fine, but it requires local
administration of /etc/security/access.conf (i.e., while the groups and
users are in LDAP, the list of authorized groups/users for a given host
is located on the host).
You can also use the pam_ldap specific authorization mechanisms. I
can't at the moment find online docs for these mechanisms; if you have
an important LDAP server, you might consider buying the ORA book _LDAP
System Administration_, which talks about these authz mechanisms and a
bunch of other stuff. We have a fairly small LDAP configuration, but
I've found the book very helpful.
--keith
--
kkeller-usenet@xxxxxxxxxxxxxxxxxxxxxxxxxx
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information
.
- Prev by Date: Re: Granualar LDAP host access
- Next by Date: Re: Newbie Question - How to use SFTP & to replace FTP in shell script
- Previous by thread: Re: Granualar LDAP host access
- Index(es):
Relevant Pages
|
|
