- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Control user access to servers using LDAP
Operating System - HP-UX
1753665
Members
5341
Online
108798
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-16-2009 07:08 AM
тАО12-16-2009 07:08 AM
We have a hundred servers which are grouped by some kind of function. Some users are allowed to log onto servers in group A but not group B while other users are allowed to log onto servers in group B but not group A. (This is a simplified scenario for discussion. In reality, we have many such groups).
Currently we are using DCE for authentication and want to move to LDAP, but I can not find any documentation that explains how to set up LDAP to allow this functionality. How do other companies do this?
We are running a mix of HP-UX v1, v2 and v3 servers in our environment.
Thanks in advance,
jls
Currently we are using DCE for authentication and want to move to LDAP, but I can not find any documentation that explains how to set up LDAP to allow this functionality. How do other companies do this?
We are running a mix of HP-UX v1, v2 and v3 servers in our environment.
Thanks in advance,
jls
Solved! Go to Solution.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-17-2009 05:43 AM
тАО12-17-2009 05:43 AM
Solution
The "compat" mode can do what you're looking for, in conjunction with netgroups.
/etc/nsswitch.conf
---
passwd: compat
passwd_compat: ldap
---
This means that any "+" entries in the local passwd file will be referenced out to LDAP.
So here's what you do:
First, set the users who are to be restricted to have a default shell of /dev/null.
This means that they will not be able to log in to any machine in the LDAP domain, by default.
Then, set up netgroups in LDAP:
netgroups:
----
groupA (,u1,) (,u2,) (server1A,,) (server2A,,)
groupB (,u3,) (,u4,) (server1B,,) (server2B,,)
----
passwd on groupA hosts:
----
+@groupA::::::/bin/csh
---
passwd on groupB hosts:
----
+@groupB::::::/bin/csh
---
These +@ entries, coupled with the "compat" mode in nsswitch.conf, will override the default /dev/null shell for the users in the specified groups, allowing them to log into the machine in question.
If you name your netgroups so that they can be recognized by a regular expression, you can use a cron job to maintain these +@ entries in the local passwd file.
The script would compare the access-restriction netgroups with the list of +@ entries in the passwd. That is, if the host sees its own hostname as a member of an access-restriction netgroup, it would add the +@ entry if it's not already there. If it sees a +@ netgroup entry for which its hostname is not a member, it would remove it from the passwd file.
If you don't want to block access to ALL machines for the users in question, you'd need to add a shell override line for everyone except authorized users and netgroups:
/etc/passwd
---
+@groupA::::::
+@sysadmins::::::
+::::::/dev/null
---
This would mean that only members of groupA and the sysadmins netgroups would be allowed to log in to this particular machine, and everyone else would be blocked, while any machine configured normally would also be accessible to the groupA users.
I developed this technique while my prior employer was selling off business lines ahead of its impending bankruptcy (little did we know), to allow users attached to the purchaser to access only the machines they'd purchased until we could peel them off the network and hand them off to the purchaser's sysadmins.
/etc/nsswitch.conf
---
passwd: compat
passwd_compat: ldap
---
This means that any "+" entries in the local passwd file will be referenced out to LDAP.
So here's what you do:
First, set the users who are to be restricted to have a default shell of /dev/null.
This means that they will not be able to log in to any machine in the LDAP domain, by default.
Then, set up netgroups in LDAP:
netgroups:
----
groupA (,u1,) (,u2,) (server1A,,) (server2A,,)
groupB (,u3,) (,u4,) (server1B,,) (server2B,,)
----
passwd on groupA hosts:
----
+@groupA::::::/bin/csh
---
passwd on groupB hosts:
----
+@groupB::::::/bin/csh
---
These +@ entries, coupled with the "compat" mode in nsswitch.conf, will override the default /dev/null shell for the users in the specified groups, allowing them to log into the machine in question.
If you name your netgroups so that they can be recognized by a regular expression, you can use a cron job to maintain these +@ entries in the local passwd file.
The script would compare the access-restriction netgroups with the list of +@ entries in the passwd. That is, if the host sees its own hostname as a member of an access-restriction netgroup, it would add the +@ entry if it's not already there. If it sees a +@ netgroup entry for which its hostname is not a member, it would remove it from the passwd file.
If you don't want to block access to ALL machines for the users in question, you'd need to add a shell override line for everyone except authorized users and netgroups:
/etc/passwd
---
+@groupA::::::
+@sysadmins::::::
+::::::/dev/null
---
This would mean that only members of groupA and the sysadmins netgroups would be allowed to log in to this particular machine, and everyone else would be blocked, while any machine configured normally would also be accessible to the groupA users.
I developed this technique while my prior employer was selling off business lines ahead of its impending bankruptcy (little did we know), to allow users attached to the purchaser to access only the machines they'd purchased until we could peel them off the network and hand them off to the purchaser's sysadmins.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-18-2009 06:44 AM
тАО12-18-2009 06:44 AM
Re: Control user access to servers using LDAP
Thank you mvpel. This looks like a way of doing what I need.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP