[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Starting out with NSS overlay - Guidance required
ptw wrote:
Hi gang!
I'm looking for some guidance in what is most probably a very common
objective. Which is to manage all authentication to network hosts
from slapd. To begin, my goal is to have:
1. one machine (generically-configured LDAP client) running sshd
(10.153.107.100)
2. multiple LDAP users
3. specify, from slapd, that only one user (tony) can log in over ssh
to the machine
Surprisingly, I have not found much documentation on this stuff beyond
the slapo-nssov man page.
The man page contains everything you need to know. You just need to pay
attention to the details.
These are the entries I have so far:
for slapd-config:
# NSSOV
dn: olcOverlay=nssov,ocDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: nssov
olcNssSsd: passwd ldap:///ou=People,dc=example,dc=com??one
olcNssSsd: group ldap:///ou=People,dc=example,dc=com??one
ou=People is obviously wrong there.
olcNssSsd: hosts ldap:///ou=People,dc=example,dc=com??one
ou=People is obviously wrong there too.
olcNssPam: hostservice uid2dn
olcNssPamSession: sshd
# ACL
dn: olcDatabase={1}hdb,cn=config
olcAccess: to attrs=userPassword by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * none
olcAccess: to * by self write by * read
olcAccess: to dn.exact=cn=host1.example.com,ou=Hosts,dc=example,dc=com
attrs=authorizedservice
by dn.exact=cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com compare
by * read
This ACL will never be seen/used since it comes after access "to *".
==================
The sshd host, user& group entries from my regular hdb-based DIT:
# NSSOV HOST and USER
dn: cn=host1.example.com,ou=Hosts,dc=example,dc=com
objectClass: device
objectClass: top
objectClass: ipHost
objectClass: authorizedServiceObject
cn=host1.example.com
ipHostNumber: 10.153.107.100
authorizedService: sshd
dn: cn=ssh,ou=host1,ou=server_access,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: ssh-host1-server_access
gidNumber: 6000
dn: uid=tony,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: tony
cn: Tony Doe
uidNumber: 11000
gidNumber: 6000
userPassword: tonyldap
loginShell: /bin/bash
homeDirectory: /home/tony
===================
Anyone?
Thanks in advance,
Peter
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/