On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
I have some linux machines that I have configured for student access.
We are authenticating against our OpenLDAP tree and limiting which
users have access via an LDAP groupOfNames.
At the PAM level.
This is all working
perfectly.
This is the problem I am having. Any user with access to the system
can run the /usr/bin/finger command and do a name search against our
entire LDAP tree. I would like to limit the info available via
finger to just the users that have access to any particular machine.
What about the standard user information available via 'getent
passwd' ?
How can this be controlled?
If you are referring to the same information as in 'getent passwd',
your first
problem is whether you need the OS to be able to resolve UIDs to
usernames for
the users who should not have access. After that, worry about (the
same
information via) finger ...
Yes! 'getent passwd' returns all of the 100,000 entries in my LDAP
tree, I'd rather it returned the 30 or so users that have access to
the particular machine plus whatever is in /etc/passwd.
Is it possible to do this? Perhaps via a PAM configuration?