[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Newbie question about host base authentication
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: Re: Newbie question about host base authentication
- From: Simone Scremin <simone.scremin@gmail.com>
- Date: Mon, 29 Oct 2012 17:53:05 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; bh=XEwHFesg9U34McmKJOf5su1qgWr9mfBoSPwcktkeqyU=; b=EIdQgY5XtlxT8pgkqyjB2A4UFjeRqSJ/c5wqQJTJIvj6Wu0/AY7HTMaXDcwusuIxio OrvPJS/qjfBnAnNaLpYymbMneJc/hFqjDYzryBvqik095/EWAcGJ/h80l6on0T0ooeJl MyUiPT4zefTDTxnnJIDA4s8qrWifInyT1a9gieh2V6oE+jHkf1TnotPZOCnuQpNQOcdU kxWR+IfJDjPLTLym095PB2lU3VonkwH+1m1lmWfXQt6B8V4Fsvn9uUxqqPYxjmF9wg9o svbIm81ouyx12QeX23qayjt15eeKVF4wlD9DgKVM/miIGBupuEk/fP/BLqX7vLJq2vEP BQRw==
- In-reply-to: <508EAE46.1000706@ayni.com>
- References: <FE365979-0431-4FDE-AAFF-51E11618B197@gmail.com> <508EAE46.1000706@ayni.com>
And this is clear.
This the basic host based authentication using pam-ldap.
>From what I know however, it's not possible to set a regex as the value of the host attribute which is my requirement.
See the previous mail with the relevant example about the regex for the hostnames.
Am I wrong?
Thank you
Simone
On Oct 29, 2012, at 5:26 PM, anax <anax@ayni.com> wrote:
> if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
>
> in the ldap directory create entries like or similar:
>
> uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com
> cn: ldap-host
> gidNumber: 102
> homeDirectory: /home/ldap-host
> host: vidigal.mydomain.com
> loginShell: /bin/bash
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowLastChange: 11146
> shadowMax: 99999
> shadowWarning: 7
> uid: ldap-host
> uidNumber: 1038
> userPassword: youonlyknowit
>
> where the important attribute is host.
>
> Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
>
> pam_check_host_attr yes
>
> Then, in the corresponding pam-ldap file, add the following two entries:
>
> account required pam_ldap.so debug
> account required pam_unix_acct.so
>
> (check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
>
> And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
>
> suomi
>
>
>
>
>
> On 2012-10-29 13:23, Simone Scremin wrote:
>> Hi all,
>> I'm in the process of learning the OpenLDAP authentication mechanics.
>> I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
>>
>> In example:
>>
>> user Bob needs to authenticate on systems:
>>
>> sys01pra
>> sys02pre
>> sys03pra
>> sys03pre
>>
>> some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
>>
>> sys0*pr*
>>
>> Is it feasable?
>>
>> Thanks
>>
>> Simone
>>
>