[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Attributes for filtering OS logins

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Attributes for filtering OS logins
From: Prentice Bisbal <prentice@ias.edu>
Date: Thu, 11 Nov 2010 09:04:18 -0500
In-reply-to: <4CDBEFF4.2000906@ias.edu>
References: <AANLkTi=B1BHkAKNLdeMiD8U_S0wOfFS0GO7-TK_u02+3@mail.gmail.com> <4CDBEFF4.2000906@ias.edu>
User-agent: Thunderbird 2.0.0.24 (X11/20101029)

Disregard my response below. I misread the problem statement. I thought
the you were trying to filter logins based on an attribute, which is
what the subject line said.

Prentice Bisbal wrote:
> Anton Chu wrote:
>> I have a scenario where I want to setup two LDAP groups where one group
>> can access a file on the server while the other one cannot after they
>> login.  Can some PAM tweaks make this happen if not on the ldap side?
> 
> Yes. See the man page for pam_ldap:
> 
> pam_groupdn <groupdn>
>               Specifies the distinguished name of a group to which a
> user must belong for logon authorization to succeed.
> pam_member_attribute <attribute> Specifies the attribute to use when
> testing a user’s membership of a group specified in the pam_groupdn option.
> 
> 

-- 
Prentice

References:
- Attributes for filtering OS logins
  - From: Anton Chu <anton.chu@telecommand.com>
- Re: Attributes for filtering OS logins
  - From: Prentice Bisbal <prentice@ias.edu>

Prev by Date: Re: Attributes for filtering OS logins
Next by Date: Re: number of contextcsn entries per database
Index(es):
- Chronological
- Thread