[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Linux authentication/authorization against OpenLDAP
>>instance, I'd like to assign our administrators to several groups
>>("security", "admins", "network", etc) and grant access to some machines
>>only to certain groups.
Once pam_ldap basically works this is really a PAM question more than an
LDAP one.
1. For per host access see the "host" attribute. Documented in
/etc/ldap.conf and in my LDAP presentation
ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf You can simply list what
host a user has access to, but manageing such information on a per user
basis can get very unwieldy.
2. What you probably want is pam_listfile. See the PAM documentation or
ftp://kalamazoolinux.org/pub/pdf/pam_and_nss.pdf
Basically /etc/pam.d/login looks like
auth required /lib/security/pam_listfile.so onerr=fail
item=group sense=allow file=/etc/security/login_limit_list.conf
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so
and /etc/security/login_limit_list.conf looks like
cis
root
sys
adm
and only users in those groups have login access to the machine.
But since this isn't really LDAP (and cetainly not OpenLDAP) related we
shouldn't discuss this any further here.