LDAP
 » 
PADL Lists
 » 
NSS LDAP

Host Checking

View: New views
2 Messages — Rating Filter:   Alert me  

Host Checking

by xianc :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I am trying to limit where users can and cannot login. I would like avoid configuring individual hosts as mush as possible since I'm talking about close to 200 machines with over 300 users. The more I can do in LDAP, the better.
Currently, I have been working with the following setup:

On the clients, I have:
pam_check_host_attr yes
nss_base_netgroup       ou=netgroup,dc=example,dc=com?one

On the server:
dn: cn=staffhosts,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: staffhosts
nisNetgroupTriple: (compute1.cluster.net,-,)
nisNetgroupTriple: (compute2.cluster.net,-,)

dn: uid=user1,ou=people,dc=example,dc=com
cn: User1 Name
gidNumber: 10000
givenName: User1
homeDirectory: /home/uid1
loginShell: /bin/bash
sn: Name
uid: user1
uidNumber: ##########
userPassword: {SSHA}
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
host: @staffhosts

This doesn't seem to work. Is there another way to call to this host group in user1's host entry? Will the host entry accept wildcards or regular expressions?

Ideally, I would like to create groups of hosts and allow users access to these groups. I know, I can set up TCP wrappers to do this, but the goal here is to have as much configuration as possible on the LDAP server and as little as possible on the client machine - these are dumb compute nodes that are regularly reinstalled and repurposed, so the fewer places I have to change a configuration, the better.

Thanks

Re: Host Checking

by Leigh Wedding :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

xianc wrote:
I am trying to limit where users can and cannot login. I would like avoid configuring individual hosts as mush as possible since I'm talking about close to 200 machines with over 300 users. The more I can do in LDAP, the better.
Currently, I have been working with the following setup:

On the clients, I have:
pam_check_host_attr yes
nss_base_netgroup       ou=netgroup,dc=example,dc=com?one

On the server:
dn: cn=staffhosts,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: staffhosts
nisNetgroupTriple: (compute1.cluster.net,-,)
nisNetgroupTriple: (compute2.cluster.net,-,)

dn: uid=user1,ou=people,dc=example,dc=com
cn: User1 Name
gidNumber: 10000
givenName: User1
homeDirectory: /home/uid1
loginShell: /bin/bash
sn: Name
uid: user1
uidNumber: ##########
userPassword: {SSHA}
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
host: @staffhosts

This doesn't seem to work. Is there another way to call to this host group in user1's host entry? Will the host entry accept wildcards or regular expressions?

Ideally, I would like to create groups of hosts and allow users access to these groups. I know, I can set up TCP wrappers to do this, but the goal here is to have as much configuration as possible on the LDAP server and as little as possible on the client machine - these are dumb compute nodes that are regularly reinstalled and repurposed, so the fewer places I have to change a configuration, the better.

Thanks
Note: I understand that pam_check_host and nis netgroups are different mechanisms, and you are trying to mix them together.

In order to use pam_check_host mechanism, your Linux system of course must be using PAM.  First you need to configure the whole PAM/LDAP setup on the relevant login hosts.  Then to permit users to login to particular systems, you specify the relevant hostname (experiment with just host or fqdn) in the "host" attribute of the users LDAP entry.  Note: you need to set appropriate permissions on this attribute so the user cannot modify it to login to any host they like.

In order to set up nis netgroups in LDAP, here are a couple links to assist:
http://www.softpanorama.org/Net/Application_layer/NIS/nis_netgroups.shtml
http://www.redhat.com/magazine/017mar06/departments/tips_tricks/
In short, you need to configure /etc/nsswitch.conf and add an entry like this to /etc/password
+@groupname

Hope this helps,
Leigh.

Free embeddable forum powered by Nabble Forum Help