[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OT: libnss-ldap && nss_base_passwd option
- To: openldap-software@OpenLDAP.org
- Subject: OT: libnss-ldap && nss_base_passwd option
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 31 May 2001 12:21:57 +0200
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7
[I know, I was one of those that talked about moving all nss/pam
questions of list, but the (nss|pam)-ldap@padl.com just don't
want to subscribe me! I've tried a number of times now!]
I want to restrict access to my server(s) so that I can say 'this
user have access to this machine, but not this one'.
Using PAM, it's "simple" (?), it's just a matter of entering the
line:
----- s n i p -----
pam_filter objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=SERVER_FQDN)
----- s n i p -----
While trying to add the same stuff to the libnss-ldap.conf file, I
discovered that it's theoreticly possible to use:
----- s n i p -----
nss_base_passwd dc=com?sub?objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=SERVER_FQDN)
----- s n i p -----
But it don't seem to work! Sudo/SSH won't let me in, 'id' works fine...
----- s n i p -----
[papadoc.pts/2]$ sudo ls
sudo: uid 1000 does not exist in the passwd file!
----- s n i p -----
Compiling libnss-ldap with debuging on, I get this:
----- s n i p -----
[papadoc.pts/2]$ sudo ls 2>&1 | grep do_filter:
nss_ldap: :== do_filter: (&(objectclass=posixAccount)(uidNumber=1000)(objectclass=posixAccount)(|(trustmodel=fullaccess)(accessto=SERVER_FQDN)))
----- s n i p -----
Using this search string with 'ldapsearch' (with the base/scope values
from the config file) will return my object...
The reason I must have libnss-ldap do this search, is that I'm
no longer using pam-ldap (my passwords have been moved to a kerberos
KDC) but instead pam-krb5...
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden