PAM LDAP Best practices

Hello List,

we have a working Samba/LDAP configuration and are trying to take the
next step and to control the access to all our servers and services via
the existing LDAP setup. But now we hit a wall and are questioning if
what we want can be archived with ldap & pam and if so if we are using
the best approach.

We intended to setup user groups for all our needs and to define the
access of a group via the host and service attributes. Changing a user's
access privileges should then only be a question of adding/removing him
to/from a group.

Now we are facing two problems
A) Adding the host attribute to a user group and adding a user to that
group does not seem to have any influence on the user's ability to
access the server. Could it be that "pam_check_host_attr yes" works only
in combination with a user account and not with a group?

B) The only solution to problem A) seems to be to modify the
configuration on the server and to define the user groups that are
allowed to access that  server. One of out goals was not having to
modify any files on any of our servers (>100 machines) every time we add
a new group.

What we would like to archive is ...

 - to do all the "configuration" in the LDAP database

 - to have one set of configuration files that has to be pushed to all
server only once.

 - to be able to control access per machine and per service and any
combination there of

 - to simplify administration by controlling access via group membership
instead of modifiying individual user accounts.

Can this be done?

We did our research but we cannot find a solution to our problem, if we
have overlooked something we would be thankful for any link you can
provide.

Thanks in advance,

tobi

On Wed, 29 Oct 2008, Tobias Bartel wrote:

Correct.  pam_ldap looks at the "host" attribute on the user entry in
LDAP.  The "authorizedService" attribute is probably a cleaner way to do
this in a large environment with many hosts.

> B) The only solution to problem A) seems to be to modify the
> configuration on the server and to define the user groups that are
> allowed to access that  server. One of out goals was not having to
> modify any files on any of our servers (>100 machines) every time we add
> a new group.

Obviously you can use the pam_groupdn setting in the pam_ldap config file,
but that would require maintaining it on each server.

Perhaps your LDAP server can do this work for you...  I use the Sun
Directory Server, which has the concept of "roles" and "class of service".
You can place a user in a role or multiple roles (the role is an attribute
you set on the user entry).  The role can be linked to a "class of
service" setting, which will compute an attribute on the user entry as
well.  For example, adding the user to the "development" role could cause
the attribute "authorizedService: development" to be computed on the fly.

It sounds like you need to be able to pull a part of the pam_ldap
configuration from LDAP itself, in order to avoid modifying the pam_ldap
config file when changes are made.  I'm not aware of any way to have
pam_ldap do that.  It seems like the closest you can get is using the host
attribute, which obviously won't change on that host.  If you want to add
additional authorizedService's over the lifetime of the host, you would
need to modify the pam_ldap config file.

  Andy