[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restrict Access to Hosts

To: <thomas.emde@scaleon.de>
Subject: Re: Restrict Access to Hosts
From: Geoff Silver <geoff@uslinux.net>
Date: Mon, 22 Apr 2002 13:40:16 -0400 (EDT)
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <OF72AEAEA4.82829FAB-ONC1256BA3.00241B87@bayer-ag.com>

> auth     required       /lib/security/pam_ldap.so
> auth     required       /lib/security/pam_unix.so       # set_secrpc

For starterrs, you probably want "auth sufficient pam_ldap.so".  Required
is just that - required.  It means if pam_ldap fails, so does the login.
sufficient means if it fails, it can try another method.  But, if it
succeeds, it will stop there.

> With this configuration the access restriction to hosts listed via a "host"
> attribute in the ldap entry of the user works fine.
> But, now it is not possible for a "normal" passwd-user to log into the machine.

I'm a little confused as to what you want, but if you're also using
libnss-ldap, you may want to use netgroups (at least, that's how I've done
it).  If you're not then, well once a user "logs" in, they won't be able
to *do* anything, because they won't have a user account.


-- 
Geoff Silver					<geoff at uslinux dot net>
"If Bill Gates had a nickel for every time Windows crashed...
	Oh wait, he does"

References:
- Restrict Access to Hosts
  - From: thomas.emde@scaleon.de

Prev by Date: RE: ldapsearch TLS error
Next by Date: Re: escaping double-quotes in dn
Index(es):
- Chronological
- Thread