From owner-freebsd-questions@FreeBSD.ORG Fri Nov 14 12:35:23 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABB5F1065678 for ; Fri, 14 Nov 2008 12:35:23 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 44E5B8FC18 for ; Fri, 14 Nov 2008 12:35:23 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtp (envelope-from ) id <1L0xtJ-0001aC-L0>; Fri, 14 Nov 2008 13:35:13 +0100 Received: from telesto.geoinf.fu-berlin.de ([130.133.86.198]) by inpost2.zedat.fu-berlin.de (Exim 4.69) for freebsd-questions@freebsd.org with esmtpsa (envelope-from ) id <1L0xtS-0003tC-65>; Fri, 14 Nov 2008 13:35:22 +0100 Message-ID: <491D6FF9.20208@zedat.fu-berlin.de> Date: Fri, 14 Nov 2008 12:32:57 +0000 From: "O. Hartmann" Organization: Freie =?ISO-8859-15?Q?Universit=E4t_Berlin?= User-Agent: Thunderbird 2.0.0.17 (X11/20080927) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: 130.133.86.198 Subject: host based authetication with OpenLDAP and FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2008 12:35:23 -0000 Hello, I have a OT question and maybe some of the FreeBSD server admins here can help me out. Our setup has several Linux and FreeBSD boxes, users are kept in OpenLDAP without any further service like Kerberos V etc. The situation(s): We have locally and personally administered workstations where the local admin should decide whether a specific user can log in or not while these machines are still bound to LDAP. Also the centralized LDAP admin should be able to decide which users or group of users can login to which group of hosts, this is the case with our student's workstations which should be accessible from every user belonging to the scientific staff and students, too, but students must not login to workstations of the science staff. Having nss_ldap and pam_ldap installed on every single FreeBSD server/box which is capable of being accessed I found in etc/ldap.conf the tags 'pam_filter' and 'pam_check_host_attr'. Setting latter to 'yes' implies having the 'host' attribute in each user's object located in OpenLDAP's DIT for the specific domain. But objectClass=account seems to conflict with objectClass=organizationalPeople which is a must in our configuration, so the host attribute is not of any further investigation. I tried to put users like 'students' in a special object of objectClass=groupOfNames and put that object along with the ordinary users in ou=users object and tried to use pam_filter (&(objecClass=posixAccount)(objectClass=groupOfNames) ...) to find ANDed matches of a user existing in the DIT AND exist in a special groupOfNames-Object for a special set of hosts and name this object like this dn: cn=logonGrpCASSINI,ou=users,dc=foo cn: logonGrpCASSINI objectClass: groupOfNames objectClass: top member: uid=... member: uid=... Well, I never had success with pam_filter due to the lack of knowledge how to filter and how ldap is looking up attributes, but far more important is: does this work in principle? The big question at this moment is, whether it is possible to 'group' login authentications/permissions via LDAP without the host attribute and simply perform a separation via the standard tools nss_ldap/pam_ldap/OpenLDAP as given. Are there other techniques usabel with FreeBSD and OpenLDAP? Well, I'm a little bit desperate at the moment, if someone has hints of further readings in that subject, any hint or tip is welcome. Regards, Oliver