[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authentication/groups/permissions
Hello,
> Hello, I have authentication working great with ldap/nsswitch/pam.
> I was wondering how to handle group permissions, or basically how to
> emulate /etc/group.
I'm not sure if this is what you're looking for, but you can use for example
# Group to enforce membership of
#pam_groupdn cn=bundy,ou=Groups,o=test,c=PL
in the ldap.conf of the nss_ldap package. It will only allow people in this
group. Another solution is to use filters. For example:
# Filter to AND with uid=%s
pam_filter &(testServices=Shell)(testStatus=Active)
Where the testServices and testStatus are attributes in a new defined schema.
When you use filters though, make sure that nss_ldap can't read the
userPassword attributes or they won't work. To solve the problem use correct
access lists, for example:
access to attrs=userPassword
by self write
by dn=uid=root,c=PL write
by * compare
This gave me a lot of headache. This has something to do with pam_unix.o &
company. Hope this helps.
Jacek Bochenek
--
"Smile, tomorrow will be worse!"