[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Limiting host access





On Mon, Nov 21, 2011 at 3:39 PM, Jayavant Patil <jayavant.patil82@gmail.com> wrote:

   >Mon, Nov 21, 2011 at 1:34 PM Buchan Milne <bgmilne@staff.telkomsa.net> wrote:

>One method would be to add the hostObject objectclass, from ldapns.schema
>(shipped with pam_ldap source), and add a host attribute with the 'hostname'
>of the host for each host the user should be allowed to log in to, and set
>'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').

>Of course, this depends on which pam module you are using, and there are other
>options.

    I tried by installing pam_ldap module and configuring ldap.conf file but still allowing access to the hosts not mentioned in host attribute. All the user information is available on the client node not specified in the host attribute of that user (checked by firing $getent passwd) .

    What is desired is on such client (not specified in host attribute of <user-name>) nodes, $su <user-name> should show su: <user-name> does not exist.

    Which of the services in /etc/pam.d need to be modified for proper user authorization?

 


Regards,
Buchan



--

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.


Hi,

  I got the desired solution. Thanks Buchan !!!

  My next query is as follows:

  Suppose we have 1000 hosts and we want to give 'user1' access to 999 hosts (with 1 restricted host). Then, in such case, we need to specify all 999 permitted host names in .ldif file.

  There are wildcards like '*' stands for all hosts and '!' stands for excluding host.
  e.g.

  1. host: *
    will allow access to all client nodes.

  2. host: !n1000
    will not allow access to n1000 client node.

  In the above mentioned scenario, when I specify the following it doesn't work:

  host: *
  host: !n1000
 
  It will allow access to all 1000 hosts.

  when I specify the following:

  host: *,!n1000

   It is restricting access to all 1000 hosts.


Does anybody know how to use these wildcards(*,!) to get the desired solution?

--

Thanks & Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.