Matt Juszczak <[email protected]> writes: >> In OpenLDAP's nssov you use access controls on the ipHost entries >> instead, and just by assigning users to groups and granting groups >> access to the ipHost / authorizedService attribute you can control >> authorization in a centralized location. It's far more scalable, >> auditable, and thus more secure. >> >>> If it's a matter of controlling host access, NIS-like netgroups >>> (along with pam_access to allow or deny access) could probably >>> also be tried. > > > As an aside, I'm not talking about authentication and authorization > for resources. I'm talking about authentication and authorization TO > ldap. Right now, it seems the only way I can manage permissions in > LDAP is via the slapd.conf file, creating groups and rules. Is there > an easier way, or do I need to auto-generate my slapd.conf? The way > we're setting up our directory access, we need a lot of users (which > can be in ldap of course, so I'm not worried there) and a lot of > groups.
You may create and modify acl's via cn=config backend, or if you prefer access rules per entry, see: http://www.openldap.org/faq/data/cache/1284.html -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
