[CentOS] CentOS and Redhat Directory Server

Thu Jul 2 12:44:11 UTC 2009
Kwan Lowe <kwan.lowe at gmail.com>

On Mon, Jun 29, 2009 at 11:29 AM, Giovanni Torres <torresgi at ninds.nih.gov>wrote:

> I have implemented LDAP on CentOS successfully using Redhat's Directory
> Server and the great how-to on the CentOS wiki.
>
> Being new to LDAP, I have a question and maybe one of you guys can point
> me in the right direction:  I have LDAP implemented on the network for
> logins to the workstation pcs.  I also have an apache website that I now
> use LDAP for authentication.  What I want, however, is to be able to
> allow a group of users to authenticate to the apache website, but not be
> able to login to any of the systems directly nor via ssh.
>
> Any suggestions or pointers in the right direction on where to read up
> on how to accomplish this specific task would be much appreciated.
>

I made some notes here:
https://sites.google.com/site/disciplinux/linux/centralized-authentication

In short, you add a couple entries to the schema that gives host-based
access control.

Create Host Based access
    Add the 61ldapns.ldif file to /etc/dirsrv/instancename/schema

Grab the above ldif from the link.  Then, on the apache servers:

    edit /etc/ldap.conf and enable pam_check_host_attr

Then in the dirsrv manager:
    From the Account Listing
    Select Field in ObjectClass
    Add Value
    Select HostObject
    Select Add Attribute
    Select Host
    Enter first host
    Select Host
    Enter Add Value
    Enter second host
    Continue for all hosts

I haven't had a chance to detail the notes, but those two entries for hosts
and service control allow me to specify what services a user can use and on
which servers. So I could, for example, allow a user to use only ssh or only
ftp on a particular host.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090702/be514ce4/attachment-0005.html>