[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fw: restricting access to machines on network



> Dave wrote:
>     I need to know what I have to do to be able to differentiate which
> users in the ldap database (the entire university) can log onto which
> machines.  All I have read thus far regards allowing single logons [snip]

The PADL pam_ldap module will look for "host" attributes attached to a
user entry, zero or more can exist.  Each host attribute value is the
fully-qualified machine name the user can log into.  If no host
attributes exist on the user object, login is permitted to any machine
(as far as pam_ldap is concerned).  If present, the user is constrained
to logging into only those machines.  This is not well documented, I
don't think...

Netgroup support does not officially exist in pam_ldap/nss_ldap at this
time, although I've seen a couple of patches floating about in the last
week to add such support.

This is probably better taken to the pamldap mailing list... some more
info to be found at http://www.padl.com/pam_ldap.html.
-Alan

-- 
Alan Sparks, Sr. UNIX Administrator	asparks@quris.com
Quris, Inc.				(720) 836-2058