[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Users from /etc/passwd, passwords from LDAP?



Would be nice to use pam_filter, but a `grep -i pam_filter *' in the
latest nss_ldap_140 does not reveal that it is used.

Using pam_filter would ensure that a user cannot log on to the machine,
but nss_ldap would still consider the user to be local if a getpwent()
is made. That means, that for example, sendmail would consider the user
to be local. I'd prefer if the user doesn't show up at all, if she isn't
destined for this machine...

	-JP


On 30 Jan 2001, Turbo Fredriksson wrote:

> Quoting "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>:
>
> > This is likely a FAQ on the nss_ldap@padl.com mailing list.
> > (likely nss_ldap takes as a parameter a search filter).
>
> The theory (I haven't bothered to try yet) is to utilise the 'pam_filter'
> in '/etc/pam_ldap.conf'...
>
> In theory you can have a object 'loginhost' or the like. That is, you want
> user 'xyz' to be able to login to host 'athena' and 'barrabas':
>
>         dn: uid=xyz,...
>         loginHost: athena
>         loginHost: barrabas
>
> And on host 'athena' you would enter in /etc/pam_ldap.conf:
>
>         pam_filter      loginHost=athena
>
> And on 'barrabas':
>
>         pam_filter      loginHost=barrabas
>
>
> As said, this is theory (which I picked up here a couple of months ago). You
> will have to make your own objectClass to use this 'loginhost' though...
>
> > At 03:40 PM 1/29/01 -0800, Jeffrey W. Baker wrote:
> > >I wonder if it is possible to have the setup that I desire.  I have some
> > >Linux and Solaris machines, nss_ldap from padl.com, and OpenLDAP 2.0.  I
> > >wish to have all of my user information in the LDAP directory, which I
> > >have already done.  I also want my users to be authenticated against the
> > >userPassword in LDAP, which I have also already done.
> > >
> > >The part that I find tricky is that I don't want every user in LDAP to be
> > >able to login to every machine.  Let's say I have 500 users, and only 10
> > >of them should be logging in to a particular box.  But I still want the
> > >usernames, passwords, and groups coming from LDAP.
> > >
> > >I would love to hear about an example of someone having already done this.
> > >
> > >Regards,
> > >Jeffrey Baker
>
> --
>  Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just
>  ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are
>          / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer
>   _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
>   \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
>
>