[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authentication/groups/permissions

To: Terry Davis <tdavis@birddog.com>, OpenLDAP-software@OpenLDAP.org
Subject: Re: authentication/groups/permissions
From: Jacek Bochenek <jacek@coig.katowice.pl>
Date: Fri, 24 Aug 2001 12:20:56 +0200
In-reply-to: <3B7D3191.C71AB486@birddog.com>
References: <3B7D3191.C71AB486@birddog.com>

Hello,

> Hello, I have authentication working great with ldap/nsswitch/pam.
> I was wondering how to handle group permissions, or basically how to
> emulate /etc/group.

I'm not sure if this is what you're looking for, but you can use for example 

# Group to enforce membership of
#pam_groupdn cn=bundy,ou=Groups,o=test,c=PL

in the ldap.conf of the nss_ldap package. It will only allow people in this 
group. Another solution is to use filters. For example:

# Filter to AND with uid=%s
pam_filter &(testServices=Shell)(testStatus=Active)

Where the testServices and testStatus are attributes in a new defined schema. 
When you use filters though, make sure that nss_ldap can't read the 
userPassword attributes or they won't work. To solve the problem use correct 
access lists, for example:

access to attrs=userPassword
       by self write
       by dn=uid=root,c=PL write
       by * compare

This gave me a lot of headache. This has something to do with pam_unix.o & 
company. Hope this helps.

Jacek Bochenek
-- 
"Smile, tomorrow will be worse!"

References:
- authentication/groups/permissions
  - From: Terry Davis <tdavis@birddog.com>

Prev by Date: Re: SSL/TLS
Next by Date: Re: killall slapd and ldap stop - slapd and ldap start | what is wrong ?
Index(es):
- Chronological
- Thread