LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 02-16-2010, 07:02 AM   #1
stuart_cherrington
Member
 
Registered: Aug 2008
Location: Get back in your Cube Unix Boy!
Distribution: rh5, oel5, debian etch, solaris
Posts: 228

Rep: Reputation: 36
LDAP Access control for users


Hi,

I'm using Sun One LDAP server, (Soon to be moving to openldap). I have one Master server, no slaves, about 60 user accounts.

I'd like to add an attribute to each of the users DN's to restrict there ability to login to specific hostnames. I.e. I have hosts A, B and C. Dev staff can access A and B, but not C, and support staff need to access all of them.

I found a link at http://publib.boulder.ibm.com/infoce...ccess_ctrl.htm which talked about using 'hostsallowedlogin' and 'hostsdeniedlogin' attributes but I'm presuming these are bespoke. If they are, how do you configure the ldap.conf to take note of these attributes when authorizing access?

Any help would be appreciated.

Thanks,

Stuart.
 
Old 02-16-2010, 07:19 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
I'd suggest against schema modifications for something like this. LDAP is just a data store, not a security device etc, and whilst it is obviously it's main use, it's really not all too healthy to try to push the applied uses of the data back into the data store. Instead, why not just use group memberships? on each relevant server, just require that in order to log in, the user should be in a certain group. That group *could* be host specific, but you might actually have a nicer higher level way to aggregate groups of machines and / or users - dev and support in your example. Requirements to be in these groups can be broadly implemented in /etc/security/access.conf on a rhel-u-like box for example, or directly in config files like sshd_config.
 
Old 02-16-2010, 08:27 AM   #3
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

We use the 'ismemberof' vrtual attribute in OpenDS (I think Sun One is the same code base). A groupOfNames is created for each type of machine (or each role), and users are added to these groupOfNames depending on where they need access to.

On the clients, the grouping is enforced by using a filter on the nss_base_passwd entry in ldap.conf like:
Code:
nss_base_passwd ou=People,dc=ilikejam,dc=org?sub?(|(ismemberof=cn=Admin,ou=auth,dc=ilikejam,dc=org)(ismemberof=cn=Backups,ou=auth,dc=ilikejam,dc=org))
The above only lets people who are members of the groups Backups and Admin into the machine.

Dave

Last edited by ilikejam; 02-16-2010 at 08:32 AM.
 
Old 02-16-2010, 10:38 AM   #4
stuart_cherrington
Member
 
Registered: Aug 2008
Location: Get back in your Cube Unix Boy!
Distribution: rh5, oel5, debian etch, solaris
Posts: 228

Original Poster
Rep: Reputation: 36
Dave,

'Cause I'm feeling pretty lazy, don't suppose you could show me some output from what your 'Admin' or 'Backup' auth groups look like?

BTW - read your blog, have been there with Emulex cards, QLogic is pretty much the only thing I let them buy now.

Stu.
 
Old 02-16-2010, 11:01 AM   #5
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Sure.
Code:
$ ldapsearch -b 'cn=Admin,ou=auth,dc=ilikejam,dc=org' -h ldap.ilikejam.org -p 636 -D 'cn=Directory Manager' -w p4ssw0rd1 -Z  'objectclass=*'
version: 1
dn: cn=Admin,ou=auth,dc=ilikejam,dc=org
member: cn=andy,ou=dba,ou=People,dc=ilikejam,dc=org
member: cn=brian,ou=dba,ou=People,dc=ilikejam,dc=org
member: cn=chris,ou=admins,ou=People,dc=ilikejam,dc=org
member: cn=dave,ou=admins,ou=People,dc=ilikejam,dc=org
objectClass: groupOfNames
objectClass: top
cn: Admin
$
The members are just the cn's of the LDAP user entries of each person you want in the group.

Dave

Last edited by ilikejam; 02-16-2010 at 11:07 AM.
 
Old 02-16-2010, 04:56 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
It's doing the application the data in the right place, but something about that doesn't really sit comfortably with me. Mixing user information and authorization... I'd expect you've more experience in this area than me, and clearly it works just fine, but still feels like the wrong place to filter the data.
 
Old 02-16-2010, 05:55 PM   #7
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Yeah, I know what you mean. It's got the same level of wrongness that I still feel setting up SSH keys for password-less access between hosts. It doesn't quite sit right that the presence of a file, or filter in this case, on the client grants access to the machine. Same principal, though - if you've got the rights to edit the file (~/.ssh/* or ldap.conf), then you've already got enough rights to do whatever you want anyway.

This /could/ be done with a load of ACIs on the LDAP servers - it's possible to grant/block access based on client IP address / SSL/plain binding level / user etc, but maintaining tens to hundreds of ACIs on an LDAP system (especially if LDAP's distributed across a couple of data centres) is a nightmare I'm really not willing to deal with on a day to day basis. You could 'physically' group the users in the hierarchy with sub groups inside the 'People' tree (or even use separate LDAP trees for different groups of hosts if you were feeling sadistic), but a lot of users where I work have accounts on various sub-sets of the Unix hosts, so there's no sensible way to group them without duplicating some of their LDAP entries in some of the groups, giving them access to machines they shouldn't have access to, or creating loads of very specific trees of users.

groupOfNames/isMemberOf seems to fit the bill perfectly, to be honest. We use a single ACI with a groupOfNames to let our service desk users reset passwords and change user details for non-priv users as well, so it works out quite nicely.

Dave

Last edited by ilikejam; 02-16-2010 at 05:57 PM.
 
Old 02-17-2010, 03:59 AM   #8
stuart_cherrington
Member
 
Registered: Aug 2008
Location: Get back in your Cube Unix Boy!
Distribution: rh5, oel5, debian etch, solaris
Posts: 228

Original Poster
Rep: Reputation: 36
Dave,

Thanks for the help, not sure what I'm doing wrong here:

(root@swwiki10 in /): ldaplist -l ou=auth
dn: cn=infra,ou=auth,dc=ldn,dc=sw,dc=com
objectClass: groupOfNames
objectClass: top
cn: infra
member: cn=stuart,ou=people,dc=ldn,dc=sw,dc=com

In the ldap.conf
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?(ismemberof=cn=infra,ou=auth,dc=ldn,dc=sw,dc=com)

If I now su - stuart is says 'user stuart does not exist'.
 
Old 02-17-2010, 04:23 AM   #9
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hmmm. Could be an ACI problem - OpenDS at least needs to be configured to allow isMemberOf searches. Not sure if it's the same for Sun One, but the ACI is:
Code:
(targetattr="isMemberOf")(version 3.0; acl "Allow isMemberOf";allow(read,search,compare) \
userdn="ldap:///anyone";)
Dave
 
Old 02-17-2010, 10:00 AM   #10
stuart_cherrington
Member
 
Registered: Aug 2008
Location: Get back in your Cube Unix Boy!
Distribution: rh5, oel5, debian etch, solaris
Posts: 228

Original Poster
Rep: Reputation: 36
Dave,

After much messing about, I came to the conclusion that ldap.conf was set wrong.

Finally tried:
nss_base_passwd isMemberof=cn=infra,ou=auth,dc=ldn,dc=sw,dc=com

And all working now.

Thanks for all your help Dave/Chris.

Stuart.
 
Old 02-17-2010, 10:22 AM   #11
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Huh. To be honest, I wouldn't have expected that to work.

Ah well. Happy days.

Dave
 
Old 02-17-2010, 11:35 AM   #12
stuart_cherrington
Member
 
Registered: Aug 2008
Location: Get back in your Cube Unix Boy!
Distribution: rh5, oel5, debian etch, solaris
Posts: 228

Original Poster
Rep: Reputation: 36
You're right - doesn't work - will try harder!
 
Old 02-19-2010, 11:15 AM   #13
stuart_cherrington
Member
 
Registered: Aug 2008
Location: Get back in your Cube Unix Boy!
Distribution: rh5, oel5, debian etch, solaris
Posts: 228

Original Poster
Rep: Reputation: 36
Dave,

Was wondering if you could shed any more light on this:

I've tried multiple combinations of the line:

nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com(&(ismemberof=cn=access,ou=auth,dc=ldn,dc=sw,dc=com) (objectclass=groupofnames))
or
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com(&(ismemberof=cn=access,ou=auth,dc=ldn,dc=sw,dc=com)

I've tried this with the dn 'cn=access,ou=auth,dc=ldn,dc=sw,dc=com' containing either 'cn=stuart,ou=people,dc=ldn,dc=sw,dc=com' or 'stuart' or both.

Maybe its my search strings but Google doesn't seem to have much help on LDAP setup for this kind of scenario.

I'll keep scratching at it, but anything you can help with would be great.

Thanks,

Stuart.
 
Old 02-19-2010, 11:23 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
well your format doens't match the given example at all. Your one is one single ldap string, which is not valid, whereas the example is broken with ?'s
 
Old 02-19-2010, 12:11 PM   #15
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Oops, hold on. I'd copied the nss_base_passwd from a solaris host - the syntax is very slightly different on Linux (Linux doesn't like the leading '(' in the filter for some reason). Apologies.

That should be:
Code:
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?ismemberof=cn=access,ou=auth,dc=ldn,dc=sw,dc=com
or if there's more than one group to search
Code:
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?|(ismemberof=cn=access,ou=auth,dc=ldn,dc=sw,dc=com)(ismemberof=cn=access2,ou=auth,dc=ldn,dc=sw,dc=com)
Dave
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with Apache: free access from lan users and password access to wan users... how? maginotjr Linux - Server 4 01-01-2011 11:08 AM
How to assign access privileges to users in LDAP server Neelima_MAV Linux - Networking 5 01-11-2010 05:23 AM
[CentOS] Folders+Files Users Access Control List Remoz Linux - Server 1 02-24-2009 05:23 AM
Vpopmail ldap to samba ldap users luquee Linux - Software 1 07-23-2008 11:38 AM
LDAP, PostgreSQL Access Control Database PrimusXPrimus Linux - Networking 0 04-12-2004 05:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 08:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration