I'm setting up a couple of linux servers (with ssh,apache,gitolite), but I want centralized user management. So far I've set-up LDAP directory support, which works great. But here's the catch: I want certain user U to have different access to server A than to server B. Let's say I want user U to have access specifications like this:
– server A: access to home folder only
– server B: access to home folder and /mnt/ folder
– server C: on this server the user U is root user
I also want to be able to quickly change the permissions: revert/grant user permissions, like granting user U to change everything in /mnt.
So main question is: what should I look into (kerberos, radius, …?) that support different access regulations (permissions) on different servers.
Thanks
Best Answer
A simple but useful login restriction mechanism is available in most distros under /etc/security/access.conf to define access rules for 'user A is allowed to login to Hosts A, B and C but not D' type configurations. You can specify by group, by user, from hosts, from subnet, etc.
As others have mentioned, you can control the deployment of such changes with a tool like cfengine or puppet.
And also as others have mentioned, you can use 'sudo' (configured via /etc/sudoers) to control root-like access to specific binaries from accounts or groups in LDAP. It's quite flexible. man sudo / man sudoers
And one more time as others have mentioned, you can use POSIX ACLs if classic user/group/other rwx permissions are insufficient to control access to filesystem objects by group or by user.