[prev in list] [next in list] [prev in thread] [next in thread]
List: ldap
Subject: [ldap] Re: Multi Homed PosixAccounts
From: Salvador Salanova Fortmann <salvador.salanova () pas ! udg ! es>
Date: 2003-12-09 7:59:32
[Download RAW message or body]
Hi,
We use attributes and filters instead of OUs.
Our (posix| samba|..)Accounts all live in the same OU, we give them home
made attributes like "userOfCampus: littlecampus", and then in nssldap,
pamldap and smb.con we use filters like
(&(uid=%u)(userofcampus=littlecampus)(category=Admin))
Moving, upgrading, downgrading users it's just a question on
adding,removing, changing attributes.
Its just the way we do it and it works for us.
Hope this helps.
Salvador Salanova Fortmann
Peter L. Berghold wrote:
> Hi folks,
>
> I'm trying to do something really funky with OpenLDAP and I seem to be
> running into a brick wall. I'm sure that someone else has accomplished
> this already and I'm not so much looking for "HOW TO" but more pointers
> to references to "HOW TO" so I can implement this.
>
> I have a mix of Solaris, Linux, BSD and other machines that I am trying
> to set up using pam_ldap for authentication. From a political stand
> point I have two different campuses to manage as well as development and
> production machines that I want to manage. On top of all that we are an
> outsourced IT department and we have need to have "outside" folks get
> access to some of the machines (not all) for administrative purposes.
>
> My first instinct was to create four organizational units:
>
> Admins -- Unix system administrators
> OutsideAdmins -- Other outside admin folks.
> CampusA -- Folks from campus A
> CampusB -- Folks from campus B
>
> It's actuall slightly more involved than that, but this is close enough
> to get my point across without getting very confusing.
>
> The access matrix looks like:
> > Admins |OutsideAdmins|CampusA|CampusB
> Access Levels | L | S | L | S | L | S| L | S
> --------------------+----+---+----+--------+----+--+---+---
> CampusA Prod | X | X | X | | | X| |
> CampusA Dev | X | X | X | | X | X| |
> CampusB Prod | X | X | X | | | | | X-
> CampusB Dev | X | X | X | | | | X | X
> Infrastructure | X | X | X | | | | |
> Infrastructure Test | X | X | | | | | |
>
> Key= L: Interactive Login (ssh) S: SAMBA file system access
>
> What the above matrix is all about is depending on what OU your login is
> in controls what groups of machines you are able to log into and if you
> get interactive login righs, SAMBA rights, both or neither.
>
> What I don't want to do is put people in multiple OUs because I want to
> keep password synchronization as simple as possible.
>
> Has anybody any hints on how to do this?
>
---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic