On Dec 12, 2011, at 5:42 PM, Wolf Noble wrote: > Hi Peter, > > we used a different method here for linux hosts. > We put the groups we want to grant access to in /etc/security/access.conf ; > ala: > > [root@---]# egrep -v ^# /etc/security/access.conf > > - : ALL EXCEPT root admin pci_sysadmin pci_devadmin : ALL > > and then just add users to the group which permits access to the machines in > question via ldap. > > [root@---]# id wnoble > uid=9999(wnoble) gid=9999(pci_sysadmin) > groups=77(puppet),9999(pci_sysadmin),9998(sysadmin) > > that was the cleanest way I found to do it, but ymmv ---- I think the cleanest way to do it is to use 'pam_check_host_attr yes' in /etc/ldap.conf and then you would have to configure each user's attributes for each host that you would allow him/her to access. That surely beats maintaining the access.conf on each machine - as in, why would you maintain users/groups in LDAP but manage access on each machine?
Craig -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
