Thanks to everyone on this list that helped with this problem.
The answer (as with most answers) was in the documentation:
[from `man nss_ldap`]
nss_base_<map> <basedn?scope?filter>
Specify the search base, scope and filter to be used
for spe-
cific maps.
I created a nss_base_passwd line looking like this:
nss_base_passwd ou=Accountssub?|(uid=user1)(uid=user2)(uid=...
it's dirty, but works until I upgrade to OpenLDAP 2.4 and can use the
memberOf= search filter.
This successfully limits the output of getent passwd to just the users I want. It also limits the info that finger gives to just those users.
Hope this helps someone else. -Rex On Sep 16, 2009, at 1:49 AM, Gavin Henry wrote:
See the dynlist overlay: http://www.openldap.org/doc/admin24/overlays.html On 15/09/2009, Rex Roof <rex@wccnet.edu> wrote:On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:Rex Roof wrote:Yes, or a configuration for PAM that limits which users it provides information for.PAM doesn't return user information at all. This is strictly for nss-ldap. You could also add a filter to nss-ldap's config file. Unfortunately the most straightforward filter (memberOf=<the group DN>) won't work with OpenLDAP's memberof overlay. If your group was actually a dynamic group, then you could use the same filter criteria that the dynamic group uses.-RexFrom what I can tell, nss_ldap and pam_ldap use the same config file in centos, /etc/ldap.conf. So they both use the same proxy user?What do you mean by dynamic group? I'm open to changing to some othersetup. -Rex-- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com