|
|
Solaris LDAP Client: How to restrict login to certain hosts?
Hello.
Now that I finally have the LDAP client on my S10 machine, I'd like to
tune it. One thing I'd like to be able to do, is that I'd like to be
able to restrict to which machines a user can login to. With the PADL.com
LDAP software, that's pretty easy. All that needs to be done is to add
a "host" attribute to an object in the LDAP and set a configuration
variable in its /etc/ldap.conf (pam_check_host_attr yes). What'll happen
is, that pam_ldap client of PADL will then also check the "host"
attribute and return failure, if the machine being logged in to isn't
listed in this multi value.
What I'd like to achieve, is that I'd have ALL my users in the LDAP.
But I would like user "joe" to be able to logon to machine "winds06"
and "winds05". Example user "brian" should only be allowed to login
to "winds05". I'd like to be able to tune this at the LDAP side,
so that it's easy to allow "brian" later on to login to "winds05"
as well, or to revoke the login right to "winds05" from "joe".
How would I get a behaviour sort of like this with the LDAP client
from Sun?
Thanks,
Alexander Skwar
|
|
0
|
|
|
|
Reply
|
 alexander930 (342)
|
4/11/2007 10:35:45 AM |
|
Alexander Skwar <alexander@skwar.name> writes:
> How would I get a behaviour sort of like this with the LDAP client
> from Sun?
I don't know whether this is applicable to your case at all, but
just a data point.
We are doing this with aliases. Our LDAP server is eDirectory.
All accounts are in one DC, and there are some shared-use machines
that everybody should be able to log on to. In addition, there are
machines owned by groups that the groups want to restrict access to
to their own members, of course. So there's a sub-DC of the main
DC that contains aliases of the desired accounts only. The machines
are instructed to look up accounts in that sub-DC only, and alias
dereferencing is used to get from the alias to the actual info.
The obvious shortcomings are that nscd doesn't seem to be able to
cache alias lookups, which causes a noticeable performance degradation,
and that the other accounts aren't visible at all and so doing a ls -l
in a directory where files are owned by other accounts looks strange.
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
|
|
|
0
|
|
|
|
Reply
|
 Atro
|
4/20/2007 10:04:08 PM
|
|
|
1 Replies
1002 Views
(page loaded in 0.082 seconds)
|
|
|
|
|
|
|
|
|
Search |
Post Question |
Groups |
Stream |
About |
Register
25709 articles. 
78 followers. 