[389-users] Migrating to LDAP authentication

Morris, Patrick patrick.morris at hp.com
Tue Feb 2 18:18:28 UTC 2010


Sean Carolan wrote:
>> This allows to to control who has access to the systems directly from
>> ldap.  Add the entitlement and they have access.  Remove the entitlement
>> and their access is revoked.
>>
>> My $0.02 CDN
>>     
>
> Terry, this is perfect, just what I was looking for.  I like being
> able to control access from the LDAP server itself.
>   

For what it's worth, our take on that from a slightly different angle 
was the group method I mentioned earlier -- since all our groups are in 
LDAP, adding a user to a particular group allows them access to the 
boxes associated with that group.

For example, we might have a group called "db-ssh" that defines a user 
group allowed to access database servers.  Then we just make sure DB 
hosts get "AllowGroups db-ssh" added to their SSH configs.  Plopping a 
user into the db-ssh group in LDAP then gives that person access to all 
the boxes that group is allowed to access with one LDAP entry.

We've found it a lot easier to manage than having to add an entry per 
host to user records, but then our servers tend to fall into 
easily-defined groups, which may not be the case for everyone, and the 
way we do it also relies on the only remote access to the box being over 
SSH.





More information about the 389-users mailing list