Re: Schema to add hostname property to accounts for pam_authz_search?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Schema to add hostname property to accounts for pam_authz_search?
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Schema to add hostname property to accounts for pam_authz_search?
- Date: Wed, 13 Apr 2011 22:51:28 +0200
On Tue, 2011-04-12 at 15:04 -0700, J. L. Brewer wrote:
> The PADL nss-ldap libpam-ldap package offers ldapns.schema for this
> purpose (http://old.nabble.com/Re:-Howto-get-the-%22host%
> 22-attribute-for-pam_check_host_attr-of-pam_ldap--p9844227.html)
> (though exclude it from releases). Is this a sufficient solution or
> is there a more official, prefered solution for nss-pam-ldapd?
nss-pam-ldapd is a little more flexible. You can use the
pam_authz_search option to use any kind of attribute you like. The
replacement for PADL's pam_check_host_attr option is described in the
manual page.
Neither RFC 2307 [0], nor draft-howard-rfc2307bis [1] specify or mention
the host attribute though. There also seems to be a combination of the
trustModel and accessTo attributes in use but it's a little more
complicated.
In any case, I don't think there's a widely standardised way of doing
host-based access controls.
[0] http://www.ietf.org/rfc/rfc2307.txt
[1] http://tools.ietf.org/html/draft-howard-rfc2307bis-02
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users
