Hi,

I wanted to restrict users to logging onto specific hosts, I.e. to keep developers away from Production hosts etc. I managed to do this on thread http://www.linuxquestions.org/questi...-users-789466/ using Sun's SDSCC.

We're now migrating to OpenLDAP and I need the same functionality. I found the 'ismemberof' attribute does not appear to be part of the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43.

I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how to create your own schema's. So I created a file called /etc/openldap/schema/memberof.schema and put in the following text:

# The isMemberOf attribute associated with an entity is a
# collection of values each of which identifies a group to
# which that entity belongs.
attributetype ( 1.3.6.1.4.1.5923.1.5.1.1
NAME 'isMemberOf'
DESC 'identifiers for groups to which containing entity belongs'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )

Then I added this schema to the slapd.conf and restarted ldap.

In the client, I've used the same 'ismemberof' line from my previous thread, so it says:

nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?isMemberOf=cn=access,ou=auth,dc=ldn,dc=sw,dc=com

Having tried MANY combination's of ?, ( and ) it won't work.

So, can anyone comment on my schema, it right? is it complete sh!te?
Does the nss_apsswd line need changing now I've moved to Openldap?

Comments on a postcard please.

BTW - I've been looking at LDAP books to cure my insomnia, and found http://www.amazon.co.uk/LDAP-Directo...2282151&sr=1-1. The books.google.com site had some useful pages from this book but the review on amazon is not great.

TIA

Stuart.

Hi Stuart,

I couldn't comment on your schema, I've never set this up. I can offer you an alternative way of achieving the same goal though; I've set something up on our servers to restrict access using OpenLDAP.

I created several NIS groups inside our OpenLDAP directory and assigned users to them.
You can then specify the NIS groups that are allowed to login in /etc/passwd by adding something like the following to the end of the file:

Once this is configured, you have 2 ways to modify access:

• Create a new NIS group and add it to /etc/passwd.
• Modify the members of an existing NIS group.

You can also grant access in the sudoers file based on NIS groups, so this is a very configurable way to restrict access to certain groups of people.

In my environment, I have created a 'dayaccess' NIS group. I can add LDAP users to the group using a script, and a cron job runs another script that empties the NIS group at midnight. This enables me to quickly grant temporary, limited access to users, without having to remember to remove them later.

This obviously isn't the way you were intending to do this, but it's another way of doing the same thing and therefore worth bringing to your attention.

Good luck.

Riz,

Thanks for the input, this was to be my second option if I couldn't get the Openldap profiling to work correctly. Hopefully someone will be able to point out where I've gone wrong.

Thanks,

Stuart.

Don't suppose anyone else has any ideas? Dave/ilikejam was able to help me last time.