Re: schema for NSS LDAP with not all accounts active

To: debian-isp@lists.debian.org
Subject: Re: schema for NSS LDAP with not all accounts active
From: Alexander Reelsen <ar@rhwd.net>
Date: Thu, 29 Mar 2001 14:33:23 +0200
Message-id: <[🔎] 20010329143323.A5609@joker.rhwd.owl.de>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 01032922194401.00685@lyta>; from russell@coker.com.au on Thu, Mar 29, 2001 at 10:19:44PM +1000
References: <[🔎] 01032910033900.00685@lyta> <20010329100830.A2549@joker.rhwd.owl.de> <[🔎] 01032922194401.00685@lyta>

Hi

On Thu, Mar 29, 2001 at 10:19:44PM +1000, Russell Coker wrote:
> On Thursday 29 March 2001 18:08, Alexander Reelsen wrote:
> > On Thu, Mar 29, 2001 at 10:03:39AM +1000, Russell Coker wrote:
> > > So the question is, what attribute should I use?
> > This is the minor question IMHO.
> Not so minor if you want to avoid having your schema break other software you 
> may want to run in future...
Yeah, of course. Having a clean LDAP tree and schema is mandatory.

> > > Another question is, does anyone have any other suggestions for doing
> > > such things?
> > I would like to do this as well. If you authenticate using PAM and wnat to
> > exclude users from using ftpd and ssh, but still give them pop3/imap
> > accounts it would be nice to have such a thing without using pam_listfile.
> > I think the easiest way would be to patch pam_ldap to support some sort of
> > query arg in the /etc/pam.d/service file. Like 'query="popd=allowed"' or
> > similar.
> Why not just make the shell /bin/false for when you want to stop ftp and ssh, 
> and make the shell /bin/true (and put /bin/true in /etc/shells) to allow ftp 
> but not ssh?  This is the traditional method of doing such things and it 
> still works...
That's not clean. And what you do with FTP and IMAP/POP? You don't need to
have a shell for both, but you want to allow only one of those. Of course,
yeah, I could have access lists for each of that service not stored in the
LDAP tree, but looking up always elsewhere is quite a hassle.
Or am I the only one who wants such a feature? That would amaze me...

If there is the possibility to store and lookup some sort of "per-service"
accesslist in the LDAP tree I would prefer that solution compared to the
"hey, let's check what shell the user has" one.


> I've replied to the list because I don't believe you wanted this discussion 
> to be private and I think others on the list will benefit.
No problem. Accidentally hit r instead of "l".


MfG/Regards, Alexander

-- 
Alexander Reelsen   http://joker.rhwd.de
ref@linux.com       GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
ar@rhwd.net         7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:    http://joker.rhwd.de/doc/Securing-Debian-HOWTO

Reply to:

Follow-Ups:
- Re: schema for NSS LDAP with not all accounts active
  - From: Russell Coker <russell@coker.com.au>

References:
- schema for NSS LDAP with not all accounts active
  - From: Russell Coker <russell@coker.com.au>
- Re: schema for NSS LDAP with not all accounts active
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: schema for NSS LDAP with not all accounts active
Next by Date: Debian 2.2r2
Previous by thread: Re: schema for NSS LDAP with not all accounts active
Next by thread: Re: schema for NSS LDAP with not all accounts active
Index(es):
- Date
- Thread