I suppose I could put something together.. are you talking about
something from the ground up like setting up nss_ldap, adding entries
into LDAP, etc. or assume some of the prerequisites are in place?
If there is already sufficient documentation on setting up nss_ldap or
other prerequisites, then just a pointer to that will be fine.
Sure. At least on group based host access restriction, which seems to
be the most asked for info.
Dan-
Jason Hane wrote:
> I second that. Dan if you can provide any resources you used to set up
> your netgroups I would hail at your feet. I've been playing with
> netgroups unsuccessfully for the past month and a half and haven't been
> able to get it to work. All my clients are RedHat ES 3&4.
>
> -----Original Message-----
> From: fedora-directory-users-bounces(a)redhat.com
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
> Megginson
> Sent: Tuesday, January 03, 2006 4:06 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
> logins.
>
> This looks very interesting and useful. Would you mind writing up
> something I can post on the Fedora DS wiki? Don't worry about
> formatting, spelling, etc. I can fix that up.
>
> Dan Cox wrote:
>
>
>
>> As an alternative, I've used the ldap/netgroup integration for many
>> years and it seems the cleanest way of doing it when used in
>> conjunction with pam's access.conf. It allows me to push the same
>> /etc/passwd and /etc/security/access.conf to all machines on the
>> network via something like CFEngine.
>>
>> The access.conf consists of something like (allow all QA users
>> access to QA systems):
>> + : @QA@@QAServers : ALL
>>
>> Then I just add or remove the user or machine in the ldap netgroup
>> entry. The real power with using ldap based netgroups is when you
>> realize all of the services that can consume netgroup information,
>> unlike the simple user based host attribute. For example, you can push
>>
>
>
>
>
>> a global /etc/sudoers and specify certain groups of users can run
>> certain commands on particular groups of machines all on one line.
>> CFEngine itself can query netgroups to know what config files to push,
>>
>
>
>
>
>> tools like dsh (distributed ssh) can use netgroups as machine
>> targets for commands, etc. I've administered some very large
>> networks of machines with these tools and it makes it very easy to
>> control.
>>
>> Dan-
>>
>> Jason Hane wrote:
>>
>>
>>
>>> I had a similar question a few weeks ago. I wanted to be able to
>>> assign a list of users access to only a specific number of computers.
>>>
>>
>
>
>
>>> This is the response I got from Gary Tay:
>>>
>>> FDS is very similar to SUN ONE DS5.2, I think netgroup (+@netgroupXXX
>>>
>>
>
>
>
>>> in /etc/passwd and /etc/shadow and "compat" keyword in
>>> /etc/nsswitch.conf) LDAP maps could be setup to achieve what you
>>> want, it has been used by many DS5.2 administrators
>>>
>>> See:
>>>
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20O
>>> pen LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
>>> Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native
>>> LDAP Clients (i.e. controlling user access to host using netgroup
>>> LDAP maps)
>>>
>>> Also see:
>>>
http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=2238
>>> 46#
>>> 223846
>>> Configuring LDAP netgroups
>>> Gary
>>> -----Original Message-----
>>> From: fedora-directory-users-bounces(a)redhat.com
>>> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>> Michael Montgomery
>>> Sent: Tuesday, January 03, 2006 1:35 PM
>>> To: General discussion list for the Fedora Directory server project.
>>> Subject: Re: [Fedora-directory-users] Server-Side ACLs for pam_ldap
>>> logins.
>>>
>>> Thanks for the response. I'll read up on this, and see if I can
>>> get this working.
>>>
>>> On Tue, 2006-01-03 at 11:29 -0700, Richard Megginson wrote:
>>>
>>>
>>>
>>>
>>>> Michael Montgomery wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> I do agree that this is closer to what I'm looking for, but the
>>>>> first
>>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>> problem I see is that I wanted to allow Groups of people to login
>>>>> to Groups of servers like:
>>>>>
>>>>> cn=www,ou=Group,dc=example,dc=com is a group of www servers.
>>>>> cn=Unix,ou=Group,dc=example,dc=com is a group of Unix users.
>>>>>
>>>>> So basically, on the people in the Unix group, can login to the www
>>>>>
>>>>
>
>
>
>>>>> servers, and so forth.
>>>>>
>>>>>
>>>>>
>>>>
>>>> Right. The host attribute is per user. You could set up a Roles
>>>> for your users, and use Class of Service to automatically add the
>>>> host attribute to the role members.
>>>>
>>>>
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users