LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-20-2009, 05:42 AM   #1
dbmacartney
Member
 
Registered: Mar 2007
Location: London, UK
Distribution: Debian, Red Hat Enterprise, Fedora
Posts: 70

Rep: Reputation: 15
Smile how to restrict a user in NIS from logging on to a particular server


Morning everyone

I was wondering if someone has set something similar up in the past.

In my environment we have about 30 RHEL 4 servers. There are about 60 staff which SSH into each server depending on their role.

Each staff member would need to log onto roughly 20 servers to do their job.

I have just started here, and currently user management is set up as local users on each box.

I am going to pull my hair out if I get asked to manually create 30 accounts each time one new staff member starts work.

My knowledge of LDAP is sketchy to say the least but I do know how to use NIS and I have implemented it in the past and it solved the problems of wasting sys admin's time for account creation.

Here is the scenario. We have 30 servers. I have a new starter and this new starter, based on their role only needs access to 15 of the 30 servers.

I want to create his user account once, is there a way to set up NIS for central authentication across the 30 servers, but then add additional parameters somewhere to specify a denied list of hosts.

eg:

step 1. create account on NIS server
step 2. if the user shouldn't be logging into a certain server or list of servers, specify the list of hostnames on the NIS server of the boxes which should be blocked.


I was thinking, perhaps by disabling the user account in /etc/passwd would do this, but I don't want to do this on half of the servers for each person I set up. My understanding of NIS is that even if I made a change like this on a server, the next time NIS updates the server, it would undo the change I just made.


Would anyone be able to assist?

alternatively, if LDAP has this capability and you know of a decent article I would love to read up on it.

Many thanks
 
Old 01-20-2009, 05:50 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
well this issue isn't anything to do with nis or ldap really. just configure an access.conf file to require, for example, each non-root user logging in to be a member of a certain group. That group could be per server, per group / function or for the entire implementation. if the boxes are set up to authenticate generally via ldap / nis whatever then you can also use access.conf to pull groups as well. So this logic doesn't live within the server side ever. but implict rights to a given resource is still centrally controlled once the base configuration is in place. Personally I would recommend ldap for this backend, esp if they already have one as you seem to suggest.

Last edited by acid_kewpie; 01-20-2009 at 05:51 AM.
 
Old 01-21-2009, 07:14 AM   #3
dbmacartney
Member
 
Registered: Mar 2007
Location: London, UK
Distribution: Debian, Red Hat Enterprise, Fedora
Posts: 70

Original Poster
Rep: Reputation: 15
Thanks Chris that is exactly what I am after.

Is there a way to set up restrictions from a central point? or would this be best to be kept locally and perhaps updated by a rsync cron job to copy a master file to the necessary servers.

Cheers

Dale
 
Old 01-21-2009, 07:29 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
no crons needed. on the client you say "group XYZ can log into this box" in /etc/security/access.conf, and that group exists within ldap / nis whatever central system you use. So by adding and removing users on the central server, you'll define automatically who can log into the connected clients. As long as you have confidence in however you set up the groups you need never change anythign on the clients again.
 
Old 01-21-2009, 10:34 AM   #5
dbmacartney
Member
 
Registered: Mar 2007
Location: London, UK
Distribution: Debian, Red Hat Enterprise, Fedora
Posts: 70

Original Poster
Rep: Reputation: 15
Thats perfect. Thanks for your assistance.
 
Old 07-28-2010, 05:49 AM   #6
Jalindar
LQ Newbie
 
Registered: Feb 2010
Posts: 14

Rep: Reputation: 0
To restrict NIS user

Hi..
How to restrict the NIS user to login to Server?
Ex. Suppose I have 24 users n I want denied access to 4 users. How do it?
 
Old 07-28-2010, 08:31 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
Erm, did you bother reading a single word in this thread before posting in it?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to restrict a user to send mails only to 3 email IDs in postfix mail server sharath41 Linux - Server 1 07-04-2008 03:40 PM
RHEL 4 client in VMware not binding to NIS server. Ping works fine and NIS server wo panini.kompella Linux - Server 1 03-16-2008 11:06 PM
restrict login to nis netgroups kapilcool Linux - Software 2 11-01-2007 03:26 PM
how to restrict a user logging with particular time alagesh146 Linux - Security 3 08-01-2007 07:41 PM
How do I create a local user on a NIS slave server? essdeeay Linux - General 2 06-10-2007 05:40 AM


All times are GMT -5. The time now is 07:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration