On 10/19/07, Jason King <jason at ansipunx.net> wrote: > For any pam request, send the info (off the top of my head, this would > probably a certain set of well known items -- src user, dest user, > hostname, service name, etc) to the LDAP server in an extended > operation -- essentially a sort of RPC over ldap, and get a > allowed/not allowed response.
I would request one (or more?) additional argument for service-specific information. This way it could be extended to move lots of the logic in sudo[1] to the LDAP server, thus greatly reducing round trips involved in configurations used by large + diverse sites. This would also make it so that the rules can be completely opaque to the client - a step beyond the root+ro permissions of sudoers on the local file system. 1. RBAC's lack of portability to OS's other than Solaris limits its usefulness in mixed environments. > For any lookup, any search request includes an ldap control containing > the hostname that is sent with the ldap search operation. This would > cause the server to filter or adjust the results (adding or removing > attribute values). > > As with anything, it presents a certain set of tradoffs -- client > simplicity (probably 200 lines or less of code changes), but requires > more server support (however, I think all of the commonly used LDAP > servers support the necessary plugins), etc. Sounds like a reasonable approach. This would also be much more friendly to servers with high network latency between the ldap client and ldap server. -- Mike Gerdts http://mgerdts.blogspot.com/
