On Thu, 10 Jul 2014, Stephen Gallagher wrote:
John, this would actually be a rather interesting idea, but I agree
with Dmitri: if this is the level of control that you need, you would
be in a far better position with FreeIPA/Red Hat Identity Management.
It has this concept baked into its Host-Based Access Control mechanism
(which SSSD fully supports). The problem with trying to do this in
plain LDAP is that there exists no standard mechanism for maintaining
this sort of information on the LDAP server (FreeIPA's HBAC rules are
kind of a de-facto standard).
By adding a group to AD per machine with suitable members, and using simple to
restrict access to that group, are you not in the same place, albeit with an
extra object in LDAP?
jh