[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Linux authentication/authorization against OpenLDAP



>>instance, I'd like to assign our administrators to several groups
>>("security", "admins", "network", etc) and grant access to some machines
>>only to certain groups.

Once pam_ldap basically works this is really a PAM question more than an
LDAP one.

1. For per host access see the "host" attribute.  Documented in
/etc/ldap.conf and in my LDAP presentation
ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf   You can simply list what
host a user has access to,  but manageing such information on a per user
basis can get very unwieldy.

2. What you probably want is pam_listfile.  See the PAM documentation or
ftp://kalamazoolinux.org/pub/pdf/pam_and_nss.pdf

Basically /etc/pam.d/login looks like

auth       required     /lib/security/pam_listfile.so onerr=fail
item=group sense=allow file=/etc/security/login_limit_list.conf
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

and /etc/security/login_limit_list.conf looks like
cis
root
sys
adm

and only users in those groups have login access to the machine.

But since this isn't really LDAP (and cetainly not OpenLDAP) related we
shouldn't discuss this any further here.