[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Adapt memberof overlay for host attribute



Vince Rafale wrote:
Howard Chu wrote :
Buchan Milne wrote:
On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:
Hi list,

I would like to know whether anybody has succeeded in using the
memberof
overlay for others attributes.
I would like a user entry (specifically the host attribute) to be
populated  when a user is added to a posixGroup. Let's say this
posixGroup contains a "hostOfGroup" attribute.

Is it feasible? Or do I need to code my own overlay for that purpose?
If writing an overlay is not needed, is there an esaier way to do that?

Sounds like there may be other solutions to your real problem ... e.g.
pam_listfile with item=group sense=allow

Or use the PAM support in the nssov overlay. Setting a user's host
attribute to control logins is ridiculous...

Ok for that overlay. Have you got any tutorial on the use of that overlay?
If not, could you please provide some more details on the configuration
for that overlay that could suit my need?

http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/slapo-nssov.5

The relevant point is to create ipHost entries for each host that you want to control logins on, and set the authorizedService attribute to the set of PAM services you want to allow (e.g., login, sshd, gdm, whatever). Then set ACLs on the authorizedService attribute - this will then control what users the nssov overlay allows to login to the given service on a given host. This gives you the full power of the slapd ACL engine, instead of just the 2-3 limited options that the old pam_ldap module provides.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/