Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> General >> Network Configurations

LDAP: How to restrict login to certain hosts?

Hello.

I've got the LDAP client from Sun installed and going on a Solaris 10 machine. Now I'd like to "tune" it a bit... Server is a OpenLDAP server.

One thing I'd like to be able to do, is that I'd like to be able to restrict to which machines a user can login to. With the PADL.com LDAP software, that's pretty easy to achieve. All that needs to be done is to add a "host" attribute to an object in the LDAP and set a configuration variable in its /etc/ldap.conf (pam_check_host_attr yes). What'll happen is, that pam_ldap client of PADL will then also check the "host" attribute and return failure, if the machine being logged in to isn't listed in this multi value.

What I'd like to achieve, is that I'd have ALL my users in the LDAP. But I would like user "joe" to be able to logon to machine "winds06" and "winds05". Example user "brian" should only be allowed to login to "winds05". I'd like to be able to tune this at the LDAP side, so that it's easy to allow "brian" later on to login to "winds05" as well, or to revoke the login right to "winds05" from "joe".

How would I get a behaviour sort of like this with the LDAP client from Sun?

So, what I'd like to get, is that I'd like to be able to modify/influence the filter that's generated by the Sun LDAP client, when a user entry object is searched for. I tried to modify the "serviceSearchDescriptor" by running:

ldapclient manual [...]

-a "serviceSearchDescriptor=passwd:ou=People,ou=Prj,o=Cmp?one&(!(hosts=wind s06))"

[...]

I hoped that this would allow me to configure the system so, that only those people could log in, who have "winds06" as one of the values of the "host" attribute. But this did not work. First of, people who don't have winds06 as a host value still could log in, and further, I get an error message in the syslog:

==> ./remote/winds06/user/err <==

Apr 12 11:14:57 winds06 nscd[11943]: [ID 293258 user.error] libsldap: Status: 0 Mesg: Invalid serviceSearchDescriptor (passwd:ou=People,ou=Prj,o=Cmp?one&(!(hosts=winds06))). Illegal configuration

So, that's not how to do it.

What do you have to doON THE CLIENT SIDE, to restrict people who are able to login on that machine?

Thanks,

Alexander Skwar

[2325 byte] By [A.Skwara] at [2007-11-27 0:56:54]
«« Dynamic Method Dispatching Problem
»» JNI-Very Urgent Converting String Array to Charcter Array in JNI
# 1

I'm not sure what other methods are available, but the traditional way is to use netgroups (which can be populated on the LDAP side).

In nsswitch.conf, set passwd to compat and passwd_compat to ldap.

Then you can use the old +/- syntax in the /etc/passwd file to authorize or deauthorize members of the netgroups (mentioned in nsswitch.conf man page).

--

Darren

Darren_Dunhama at 2007-7-11 23:30:11 > top of Java-index,General,Network Configurations...
# 2

Is there a way to automatically populate a netgroup, so that I don't have to add a user to a netgroup? What I'd like to get: "host" attribute of a user is filled. Netgroup is created or updated.

Basically, I'm looking for a way that's about as easy to use as the "host checking feature" of PADL.

How to do that?

A.Skwara at 2007-7-11 23:30:11 > top of Java-index,General,Network Configurations...
General
Network Configurations

General New Topic

General Hot Topic

General

All Classified