All, I didn't really get any answers from anyone except for some questions from people who had the same need. I did however, get it to work in the meantime and for their and other people's benefit will post this summary. I was able to restrict access to certain users on servers using LDAP authentication and netgroups. This was done by creating netgroups in the LDAP server and then modifying the /etc/nsswitch.conf file to accommidate these changes. The following LDIFs were used to create the netgroups in the LDAP server. dn: cn=sysadmins,ou=netgroup,dc=sample,dc=com changetype: add cn: sysadmins nisnetgrouptriple: (,jeremy,) nisnetgrouptriple: (,user2,) nisnetgrouptriple: (,user3,) nisnetgrouptriple: (,user4,) nisnetgrouptriple: (,user5,) objectclass: top objectclass: nisNetGroup dn: cn=sysadmin-netgroup,ou=netgroup,dc=sample,dc=com changetype: add cn: sysadmin-netgroup nisnetgrouptriple: (,sysadmins,sample.com) membernisnetgroup: sysadmins objectclass: top objectclass: nisNetGroup Once this was loaded into the LDAP server, one needs to use this sample /etc/nsswitch.conf file. # # /etc/nsswitch.ldap: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: compat files passwd_compat: ldap group: files ldap [TRYAGAIN=continue] # consult /etc "files" only if ldap is down. hosts: files dns ldap [TRYAGAIN=continue] ipnodes: files ldap [TRYAGAIN=continue] # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: ldap [NOTFOUND=return] files networks: ldap [TRYAGAIN=continue] files protocols: ldap [TRYAGAIN=continue] files rpc: ldap [TRYAGAIN=continue] files ethers: ldap [TRYAGAIN=continue] files netmasks: ldap [TRYAGAIN=continue] files bootparams: ldap [TRYAGAIN=continue] files publickey: ldap [TRYAGAIN=continue] files netgroup: ldap [TRYAGAIN=continue] automount: files ldap [TRYAGAIN=continue] aliases: files ldap [TRYAGAIN=continue] # for efficient getservbyname() avoid ldap services: files ldap [TRYAGAIN=continue] sendmailvars: files # role-based access control auth_attr: files ldap [TRYAGAIN=continue] exec_attr: files ldap [TRYAGAIN=continue] prof_attr: files ldap [TRYAGAIN=continue] user_attr: files ldap [TRYAGAIN=continue] # audit audit_user: files ldap [TRYAGAIN=continue] project: files ldap [TRYAGAIN=continue] END_OF_FILE_____________ Notice that the passwd entry does not have ldap in it, but compat files then passwd_compat: ldap underneath it. This causese the server to check the local files for netgroups and then check the LDAP server for info on those netgroups. Now you need to add the netgroups you want into the /etc/passwd and /etc/shadow files. Do this by editing the /etc/passwd file and add the netgroup to the end of the file. echo "+@sysadmin-netgroup" >> /etc/passwd then run pwconv to add it to /etc/shadow. That's it, now all the users defined in the sysadmin-netgroup netgroup are on the server and no other users. What's also nice is that the server is completely unaware of any other users in the ldap system. They don't exist. Hope that helps. Jeremy On Thu, 20 Dec 2001, Jeremy Przygode wrote: > All, > > I have just implemented iplanet's LDAP server to provide centralized > authentication services for a mainly Solaris only environment. It was > setup according to the Sun Blueprints "Solaris and LDAP Naming Services" book. > > I have the following question. > > How can I setup the LDAP server either through the use of netgroups or > LDAP ACIs to restrict ssh login access for some users but allow other > users. So I want to setup the following type of scenario. > > Create a webserver group and allow only web admins to log into them using > ssh. Then create a dbserver group and only allow dbas and sys admins to > login, but no normal users. This type of thing. > > I have scoured the Internet and can't find anything really relevant. I > know about netgroups, but they only seem to support rlogin etc not telnet > or ssh. Maybe I am mistaken. Any help would be greatly appreciated. > > TIA, > > Jeremy Przygode > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers > _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Sun Dec 23 14:47:18 2001
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:31 EST