Re: Limiting finger lookup access on Linux

[Jonathan Clarke <jonathan@phillipoux.net>]

On 15/09/2009 14:31, Roof,Rex wrote:
> On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
>
> > On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
> > > I have some linux machines that I have configured for student access.
> > > We are authenticating against our OpenLDAP tree and limiting which
> > > users have access via an LDAP groupOfNames.
> >
> > At the PAM level.
> >
> > > This is all working
> > > perfectly.
> > >
> > > This is the problem I am having.   Any user with access to the system
> > > can run the /usr/bin/finger command and do a name search against our
> > > entire LDAP tree.   I would like to limit the info available via
> > > finger to just the users that have access to any particular machine.
> >
> > What about the standard user information available via 'getent
> > passwd' ?
> >
> > > How can this be controlled?
> >
> > If you are referring to the same information as in 'getent passwd',
> > your first
> > problem is whether you need the OS to be able to resolve UIDs to
> > usernames for
> > the users who should not have access. After that, worry about (the
> > same
> > information via) finger ...
>
> Yes!   'getent passwd'  returns all of the 100,000 entries in my LDAP
> tree, I'd rather it returned the 30 or so users that have access to
> the particular machine plus whatever is in /etc/passwd.
>
> Is it possible to do this?  Perhaps via a PAM configuration?

If I understand correctly, you're enforcing access to this machine by 
telling PAM to allow only a given group, presumably via an option in 
pam_ldap.conf like "pam_groupdn cn=yourgroupe,dc=etc".

But, NSS (and therefore finger), is still seeing all users in the 
directory, and not only the ones from that group?

One solution would be to configure your libnss-ldap to use a binddn to 
connect to the LDAP server, and set up ACLs so that that binddn only has 
access to users from that group.

Jonathan