[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: Multi Homed PosixAccounts
From:       Salvador Salanova Fortmann <salvador.salanova () pas ! udg ! es>
Date:       2003-12-09 7:59:32
[Download RAW message or body]


Hi,

We use attributes and filters instead of OUs.

Our (posix| samba|..)Accounts all live in the same OU, we give them home 
made attributes like "userOfCampus: littlecampus", and then in nssldap, 
pamldap and smb.con we use filters like 
(&(uid=%u)(userofcampus=littlecampus)(category=Admin))

Moving, upgrading, downgrading users it's just a question on 
adding,removing, changing attributes.

Its just the way we do it and it works for us.

Hope this helps.


Salvador Salanova Fortmann




Peter L. Berghold wrote:
> Hi folks,
> 
> I'm trying to do something really funky with OpenLDAP and I seem to be
> running into a brick wall.  I'm sure that someone else has accomplished
> this already and I'm not so much looking for "HOW TO" but more pointers
> to references to "HOW TO" so I can implement this.
> 
> I have a mix of Solaris, Linux, BSD and other machines that I am trying
> to set up using pam_ldap for authentication. From a political stand
> point I have two different campuses to manage as well as development and
> production machines that I want to manage. On top of all that we are an
> outsourced IT department and we have need to have "outside" folks get
> access to some of the machines (not all) for administrative purposes. 
> 
> My first instinct was to create four organizational units:
> 
> Admins -- Unix system administrators
> OutsideAdmins -- Other outside admin folks.
> CampusA  -- Folks from campus A
> CampusB  -- Folks from campus B
> 
> It's actuall slightly more involved than that, but this is close enough
> to get my point across without getting very confusing.
> 
> The access matrix looks like:
> > Admins |OutsideAdmins|CampusA|CampusB
> Access Levels       | L  | S | L  | S      | L  | S| L | S
> --------------------+----+---+----+--------+----+--+---+---
> CampusA Prod        | X  | X | X  |        |    | X|   |  
> CampusA Dev         | X  | X | X  |        | X  | X|   |
> CampusB Prod        | X  | X | X  |        |    |  |   | X-      
> CampusB Dev         | X  | X | X  |        |    |  | X | X
> Infrastructure      | X  | X | X  |        |    |  |   |
> Infrastructure Test | X  | X |    |        |    |  |   |
> 
> Key=  L: Interactive Login (ssh)   S: SAMBA file system access
> 
> What the above matrix is all about is depending on what OU your login is
> in controls what groups of machines you are able to log into and if you
> get interactive login righs, SAMBA rights, both or neither. 
> 
> What I don't want to do is put people in multiple OUs because I want to
> keep password synchronization as simple as possible.
> 
> Has anybody any hints on how to do this?
> 



---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]