ldap by hosts

These are some things I recently ran into when trying to restrict a certain ldap user to a certain number of hosts.

For example, at the school we have a cluster where we may only want the parallel processing students to have access, cadence where we may only want vlsi students to have access, and our main server where we want everyone to have access.

Here’s the preliminary way that seems to work.  Here, I assume most of your ldap is setup.

First, add the account objectclass to your user.  You may need to do some mangling here (for example if you use the inetorgperson objectclass).  You can create your own joined schema for this.  The reason you want the account objectclass is so you have access to the host attribute.

Next, for every user, add the restricted hosts you want that user to have access to.  For example, for the cluster I add a host=skynet.coe.isu.edu attribute.

Finally, on skynet.coe.isu.edu, in ldap.conf, add

pam_check_host_attr yes
pam_filter |(host=skynet.coe)

Then on our main server do not add these, as these entries only restrict access to users with the applicable host attributes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s