[389-users] Do we have any suggestions for host level access controls?

Edward Capriolo edlinuxguru at gmail.com
Tue May 11 18:16:17 UTC 2010 

There are other options...

3)
ssh logingroup. Create supplementary posix groups, assign users to those
groups, tell the ssh server only to allow those groups.

   pam_filter <filter>
              Specifies a filter to use when retrieving user information.
The
              user   entry   must  match  the  attribute  value  assertion
of
              (pam_login_attribute=login_name) as well as any filter
specified
              here. There is no default for this option.

     pam_groupdn <groupdn>
              Specifies the distinguished name of a group to which a user
must
              belong for logon authorization to succeed.
pam_member_attribute
              <attribute> Specifies the attribute to use when testing a
user’s
              membership of a group specified in the pam_groupdn option.

I used  pam_groupdn. Very effective. I had a default login group that my
kickstart creates. Then cluster by cluster i could create other objects for
specific login groups



2010/5/11 Brandon Price <bprice at wimba.com>

> I have found 2 methods for allowing individual users, or groups access to
> certain hosts via the directory server. (document link<http://docs.google.com/viewer?a=v&q=cache:RzrjRqKNyacJ:www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf+host+groups+redhat+directory+server&hl=en&gl=us&pid=bl&srcid=ADGEESjBSnH6fzg3FnIKNBbXOK0OsnzZf1T7N0vfyeeQcI9iwbhmV8tt1nzPUqrn_Bhm86XUuz_Z6jH3b-GkDKGxbi_VBpfSV6TR_5sCxpTLu9rlptyUH9bwCt7FSUnpm93rtHRXiKAy&sig=AHIEtbTVbKKeylWYyLqgjDG83y1_V2r60g>
> )
>
> *1. the host attribute *
> setup:
> on server: the host attribute can be defined after adding a user, it must
> list each host by fqdn that the user has access to
> on client: configure to check for the host attribute in the ldap.conf
>
> pros:
> +simple
> cons:
> -does not scale, if we add a host we then have to go and add that host to
> each allowed user, management would be time consuming as users, or hosts
> grow
>
>
> *2. define groups of users, and systems in directory server by
> using nisNetgroupTriple attribute *
> setup:
> on server: definition of the host, and user groups in the ldap server
> via nisNetgroupTriple
> on client: configure pam in /etc/pam/system-auth to check if user belongs
> to approved user group & system belongs to approved system group
> on client: configure pam_group module in /etc/security/group.conf
>
> pros:
> +scales
> cons:
> -not as simple, uses an old beast (NIS)
> -NIS adds an additional layer of complexity and points of failure
> -doesn't allow me to grant a single user auth on a single system (if even
> temporarily)
>
>
> Is there a third better option? Any suggestions or links to documentation
> would be highly appreciated. Thank you for your time.
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20100511/5f90bde9/attachment.html>

More information about the 389-users mailing list