Jason King wrote: > Probably not quite the best description, but since I opened my big > mouth last weekend, thought I should probably go ahead and propose > this as a formal project. > > Currently, all of the supported methods of specifying server access > control with LDAP (netgroups, or pam_list) involve storing some aspect > of the policy on the managed systems themselves. As a result, changes > in policy requires touching all impacted servers. I think it would be > very useful if this could be centralized in LDAP.
pam_list was purposely per system rather than held in LDAP. Since you can use netgroups in pam_list's files that allows you to put the "real" policy in the LDAP database. It could be extended to look in LDAP as well but that probably requires defining and deploying a new schema. As a historical note pam_list actually existed long before we adopted LDAP as a nameservice even though it was only recently integrated (my oldest SCCS version for it is 99/10/12). > Also, there is no easy way to do fine-grained control of group and > role membership for LDAP managed systems and still maintain > centralized management within LDAP. For example, I might want 'jason' > to have access to the 'root' role on systemA, but not systemB. Or, on > systemC, 'bob' should have access to different groups than systemD. > Any of the ways I can imagine doing this w/ LDAP are not particularly > pretty (and have problems). It shouldn't be limited to LDAP but to any supported nameservice. I've implemented the enforcement part before of this and a possible implementation is in 4986798, have a lot at that CR and see if the proposed solution meets your needs. It is great you want to help implement a project however to do this the hard part (and the reason this hasn't been done already) is extending smc. Unfortunately smc is also closed source. There maybe light at the end of the tunnel though if Visual Panels[1] gets traction. Finally I assume since you are proposing a project you actually want to write code for this rather than you are asking someone else to do so ? -- Darren J Moffat
