|
»
»
« Return to Thread: PAM LDAP Best practices
PAM LDAP Best practices
by Tobias Bartel
::
Rate this Message:
Hello List,
we have a working Samba/LDAP configuration and are trying to take the
next step and to control the access to all our servers and services via
the existing LDAP setup. But now we hit a wall and are questioning if
what we want can be archived with ldap & pam and if so if we are using
the best approach.
We intended to setup user groups for all our needs and to define the
access of a group via the host and service attributes. Changing a user's
access privileges should then only be a question of adding/removing him
to/from a group.
Now we are facing two problems
A) Adding the host attribute to a user group and adding a user to that
group does not seem to have any influence on the user's ability to
access the server. Could it be that "pam_check_host_attr yes" works only
in combination with a user account and not with a group?
B) The only solution to problem A) seems to be to modify the
configuration on the server and to define the user groups that are
allowed to access that server. One of out goals was not having to
modify any files on any of our servers (>100 machines) every time we add
a new group.
What we would like to archive is ...
- to do all the "configuration" in the LDAP database
- to have one set of configuration files that has to be pushed to all
server only once.
- to be able to control access per machine and per service and any
combination there of
- to simplify administration by controlling access via group membership
instead of modifiying individual user accounts.
Can this be done?
We did our research but we cannot find a solution to our problem, if we
have overlooked something we would be thankful for any link you can
provide.
Thanks in advance,
tobi
we have a working Samba/LDAP configuration and are trying to take the
next step and to control the access to all our servers and services via
the existing LDAP setup. But now we hit a wall and are questioning if
what we want can be archived with ldap & pam and if so if we are using
the best approach.
We intended to setup user groups for all our needs and to define the
access of a group via the host and service attributes. Changing a user's
access privileges should then only be a question of adding/removing him
to/from a group.
Now we are facing two problems
A) Adding the host attribute to a user group and adding a user to that
group does not seem to have any influence on the user's ability to
access the server. Could it be that "pam_check_host_attr yes" works only
in combination with a user account and not with a group?
B) The only solution to problem A) seems to be to modify the
configuration on the server and to define the user groups that are
allowed to access that server. One of out goals was not having to
modify any files on any of our servers (>100 machines) every time we add
a new group.
What we would like to archive is ...
- to do all the "configuration" in the LDAP database
- to have one set of configuration files that has to be pushed to all
server only once.
- to be able to control access per machine and per service and any
combination there of
- to simplify administration by controlling access via group membership
instead of modifiying individual user accounts.
Can this be done?
We did our research but we cannot find a solution to our problem, if we
have overlooked something we would be thankful for any link you can
provide.
Thanks in advance,
tobi
« Return to Thread: PAM LDAP Best practices
| Free embeddable forum powered by Nabble | Forum Help |
