On Tue, Dec 13, 2011 at 09:58:06AM -0700, Craig White wrote: > > On Dec 12, 2011, at 5:42 PM, Wolf Noble wrote: > > > Hi Peter, > > > > we used a different method here for linux hosts. > > We put the groups we want to grant access to in /etc/security/access.conf ; > > ala:
We use puppet to template /etc/nslcd.conf (from nss-pam-ldapd) with the ldap filter which describes the groups associated with the machine. > > [root@---]# egrep -v ^# /etc/security/access.conf > > > > - : ALL EXCEPT root admin pci_sysadmin pci_devadmin : ALL > > > > and then just add users to the group which permits access to the machines > > in question via ldap. > > > > [root@---]# id wnoble > > uid=9999(wnoble) gid=9999(pci_sysadmin) > > groups=77(puppet),9999(pci_sysadmin),9998(sysadmin) > > > > that was the cleanest way I found to do it, but ymmv > ---- > I think the cleanest way to do it is to use 'pam_check_host_attr yes' in > /etc/ldap.conf and then you would have to configure each user's attributes > for each host that you would allow him/her to access. That surely beats > maintaining the access.conf on each machine - as in, why would you maintain > users/groups in LDAP but manage access on each machine? > > Craig > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
