[389-users] Do we have any suggestions for host level access controls?
Brandon Price
bprice at wimba.com
Tue May 11 15:07:05 UTC 2010
I have found 2 methods for allowing individual users, or groups access
to certain hosts via the directory server. (document link)
1. the host attribute
setup:
on server: the host attribute can be defined after adding a user, it
must list each host by fqdn that the user has access to
on client: configure to check for the host attribute in the ldap.conf
pros:
+simple
cons:
-does not scale, if we add a host we then have to go and add that
host to each allowed user, management would be time consuming as
users, or hosts grow
2. define groups of users, and systems in directory server by using
nisNetgroupTriple attribute
setup:
on server: definition of the host, and user groups in the ldap server
via nisNetgroupTriple
on client: configure pam in /etc/pam/system-auth to check if user
belongs to approved user group & system belongs to approved system group
on client: configure pam_group module in /etc/security/group.conf
pros:
+scales
cons:
-not as simple, uses an old beast (NIS)
-NIS adds an additional layer of complexity and points of failure
-doesn't allow me to grant a single user auth on a single system (if
even temporarily)
Is there a third better option? Any suggestions or links to
documentation would be highly appreciated. Thank you for your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100511/7b0efd43/attachment.html>
More information about the 389-users
mailing list