Re: host based authetication with OpenLDAP and FreeBSD

[Jonathan McKeown]

On Friday 14 November 2008 14:32, O. Hartmann wrote:
 Hello,
 I have a OT question and maybe some of the FreeBSD server admins here
 can help me out.
[snip]
 Having nss_ldap and pam_ldap installed on every single FreeBSD
 server/box which is capable of being accessed I found in etc/ldap.conf
 the tags 'pam_filter' and  'pam_check_host_attr'. Setting latter to
 'yes' implies having the 'host' attribute in each user's object located
 in OpenLDAP's DIT for the specific domain. But objectClass=account seems
 to conflict with objectClass=organizationalPeople which is a must in our
 configuration, so the host attribute is not of any further investigation.

Did you not like the answer I gave you in April when you asked essentially the 
same question?

http://lists.freebsd.org/pipermail/freebsd-questions/2008-April/174152.html

For posterity (again) the extensibleObject auxiliary objectClass was 
introduced for precisely this reason - so that you could add any attribute 
the server knows about to an existing object which otherwise couldn't hold 
it.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

host based authetication with OpenLDAP and FreeBSD

[O. Hartmann]

Hello,
I have a OT question and maybe some of the FreeBSD server admins here 
can help me out.


Our setup has several Linux and FreeBSD boxes, users are kept in 
OpenLDAP without any further service like Kerberos V etc.


The situation(s):

We have locally and personally administered workstations where the local 
admin should decide whether a specific user can log in or not while 
these machines are still bound to LDAP.


Also the centralized LDAP admin should be able to decide which users or 
group of users can login to which group of hosts, this is the case with 
our student's workstations which should be accessible from every user 
belonging to the scientific staff and students, too, but students must 
not login to workstations of the science staff.


Having nss_ldap and pam_ldap installed on every single FreeBSD 
server/box which is capable of being accessed I found in etc/ldap.conf 
the tags 'pam_filter' and  'pam_check_host_attr'. Setting latter to 
'yes' implies having the 'host' attribute in each user's object located 
in OpenLDAP's DIT for the specific domain. But objectClass=account seems 
to conflict with objectClass=organizationalPeople which is a must in our 
configuration, so the host attribute is not of any further investigation.


I tried to put users like 'students' in a special object of 
objectClass=groupOfNames and put that object along with the ordinary 
users in ou=users object and tried to use pam_filter 
((objecClass=posixAccount)(objectClass=groupOfNames) ...) to find ANDed 
matches of a user existing in the DIT AND exist in a special 
groupOfNames-Object for a special set of hosts and name this object like 
this


dn: cn=logonGrpCASSINI,ou=users,dc=foo
cn: logonGrpCASSINI
objectClass: groupOfNames
objectClass: top
member: uid=...
member: uid=...


Well, I never had success with pam_filter due to the lack of knowledge 
how to filter and how ldap is looking up attributes, but far more 
important is: does this work in principle?


The big question at this moment is, whether it is possible to 'group' 
login authentications/permissions via LDAP without the host attribute 
and simply perform a separation via the standard tools 
nss_ldap/pam_ldap/OpenLDAP as given.


Are there other techniques usabel with FreeBSD and OpenLDAP?

Well, I'm a little bit desperate at the moment, if someone has hints of 
further readings in that subject, any hint or tip is welcome.


Regards,
Oliver
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]