[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Users from /etc/passwd, passwords from LDAP?
Would be nice to use pam_filter, but a `grep -i pam_filter *' in the
latest nss_ldap_140 does not reveal that it is used.
Using pam_filter would ensure that a user cannot log on to the machine,
but nss_ldap would still consider the user to be local if a getpwent()
is made. That means, that for example, sendmail would consider the user
to be local. I'd prefer if the user doesn't show up at all, if she isn't
destined for this machine...
-JP
On 30 Jan 2001, Turbo Fredriksson wrote:
> Quoting "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>:
>
> > This is likely a FAQ on the nss_ldap@padl.com mailing list.
> > (likely nss_ldap takes as a parameter a search filter).
>
> The theory (I haven't bothered to try yet) is to utilise the 'pam_filter'
> in '/etc/pam_ldap.conf'...
>
> In theory you can have a object 'loginhost' or the like. That is, you want
> user 'xyz' to be able to login to host 'athena' and 'barrabas':
>
> dn: uid=xyz,...
> loginHost: athena
> loginHost: barrabas
>
> And on host 'athena' you would enter in /etc/pam_ldap.conf:
>
> pam_filter loginHost=athena
>
> And on 'barrabas':
>
> pam_filter loginHost=barrabas
>
>
> As said, this is theory (which I picked up here a couple of months ago). You
> will have to make your own objectClass to use this 'loginhost' though...
>
> > At 03:40 PM 1/29/01 -0800, Jeffrey W. Baker wrote:
> > >I wonder if it is possible to have the setup that I desire. I have some
> > >Linux and Solaris machines, nss_ldap from padl.com, and OpenLDAP 2.0. I
> > >wish to have all of my user information in the LDAP directory, which I
> > >have already done. I also want my users to be authenticated against the
> > >userPassword in LDAP, which I have also already done.
> > >
> > >The part that I find tricky is that I don't want every user in LDAP to be
> > >able to login to every machine. Let's say I have 500 users, and only 10
> > >of them should be logging in to a particular box. But I still want the
> > >usernames, passwords, and groups coming from LDAP.
> > >
> > >I would love to hear about an example of someone having already done this.
> > >
> > >Regards,
> > >Jeffrey Baker
>
> --
> Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
> ^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
> / / | | '_ \| | | \ \/ / Debian Certified Linux Developer
> _ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
> \\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
>
>