[389-users] Migrating to LDAP authentication
Morris, Patrick
patrick.morris at hp.com
Tue Feb 2 18:18:28 UTC 2010
Sean Carolan wrote:
>> This allows to to control who has access to the systems directly from
>> ldap. Add the entitlement and they have access. Remove the entitlement
>> and their access is revoked.
>>
>> My $0.02 CDN
>>
>
> Terry, this is perfect, just what I was looking for. I like being
> able to control access from the LDAP server itself.
>
For what it's worth, our take on that from a slightly different angle
was the group method I mentioned earlier -- since all our groups are in
LDAP, adding a user to a particular group allows them access to the
boxes associated with that group.
For example, we might have a group called "db-ssh" that defines a user
group allowed to access database servers. Then we just make sure DB
hosts get "AllowGroups db-ssh" added to their SSH configs. Plopping a
user into the db-ssh group in LDAP then gives that person access to all
the boxes that group is allowed to access with one LDAP entry.
We've found it a lot easier to manage than having to add an entry per
host to user records, but then our servers tend to fall into
easily-defined groups, which may not be the case for everyone, and the
way we do it also relies on the only remote access to the box being over
SSH.
More information about the 389-users
mailing list