[Infrastructures] authentication of groups of users

Joel Huddleston joelh@cyberzod.com
Mon, 2 May 2005 10:11:17 -0600 (MDT) 

> Hello,
>
> How does one easily setup systems that allow only some people to
> login?
>
> E.g. the on the main servers only a couple of people are allowed to
> login.
>
> When using NIS (as a directory server and authentication server) this
> can be acomplished adding the relevant + en - entries in the passwd
> file and using NIS domains (however keeping all in one NIS domain is
> preferable).
>
> But what with using LDAP as directory server and authentication
> server? What can you do to accomplish the same effect?

LDAP (and even Hesiod and NIS+) is a hierarchical system, that is, tree
structured. It is possible to store your users into structural groups and
select which hosts use which groups in order to limit access. It is my
experience that the vast majority of organizations don't do this. The way
you select in LDAP is to put the "most privileged" users out towards the
leafs of your structure. LDAP automatically searches out the tree when
finding account information. You restrict access by use of the search base
mechanism. OReilly sells an OpenLDAP book. You should read that before
trying to set this up. The magic is to create Organizational Units
(OU=...) and contain your user accounts in them. The DNs would look
something like:

cn=engradmin,ou=Engr Admins,ou=Engineering,ou=People,dc=example,dc=com

cn=engruser,ou=Engineering,ou=People,dc=example,dc=com

cn=joeuser,ou=People,dc=example,dc=com

Systems that belong to Engineering would have a BASE of:
    ou=Engineering,ou=People,dc=example,dc=com
while engineering systems with special restrictions would have a BASE:
    ou=Engr Admins,ou=Engineering,ou=People,dc=example,dc=com
General purpose systems would have a BASE:
    ou=People,dc=example,dc=com

joeuser can only log in to the last of these, while engruser can use any
general purpose system, and any engineering system except the "special
restrictions" systems that use the longer BASE.

I may have this slightly off, but I am pretty sure this is how it works.
Get the book and learn full truth.

I think that Hesiod uses a different approach to organization, more
privileged users go towards the trunk of the tree. It has been more than a
decade since I set that up, so I may be mis-remembering.


> And what with Kerberos (and a directory server of your choice)?
>
> What are some ways to do this?

Since Kerberos is just an authentication system, you can copy the user
account information into local /etc/passwd files for highly restricted
systems. Just use Kerberos to identify them at login. /etc/passwd and
/etc/shadow would NOT contain password hashes in this case.

-- 
Joel Huddleston
OK, Joke's over. Bring back the constitution.