From: Ivan Shmakov
Date: Sat, 15 Aug 2009 11:27:34 +0700
Adam Williams writes:
>> I'm familiar with ldap, but I'm not sure if this would be a question
>> for this list, or for an ldap server setup specifically (such as
>> openldap's list).
>> I'm looking to use LDAP for a project, but need a bit better
>> authentication than just authenticating with a DN and a password. I
>> was hoping to use some sort of access list, or something similar.
[...]
> you can use the host: field along with nss_ldap and pam to restrict
> users to be only able to connect/ssh/etc to specified servers.
Controlling access based on a host attribute in each user's entry is a pretty
clumsy method, and quickly becomes unmanageable as the number of users gets large.
In OpenLDAP's nssov you use access controls on the ipHost entries instead, and
just by assigning users to groups and granting groups access to the ipHost /
authorizedService attribute you can control authorization in a centralized
location. It's far more scalable, auditable, and thus more secure.
If it's a matter of controlling host access, NIS-like netgroups
(along with pam_access to allow or deny access) could probably
also be tried.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
