RSS feed

Re: pam_authz_search, match multiple criteria, is it possible?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: pam_authz_search, match multiple criteria, is it possible?

On Tue, 2011-06-28 at 23:26 +1000, Tim wrote:
> I hoping to restrict login access to a machine based on a number of
> groups. I don't want to filter all these users out as they can still
> have accounts on the machine, they just can't login via pam.

I think it is better to look into using pam_access for something like
this. Perhaps it is possible to make something with pam_autz_search but
it seems much more suitable for something as basic as group membership.

> Is it possible to somehow modify it so it requires the shell group as
> well ether of admin and committee? My attempt is below and didn't
> work.
> pam_authz_search
> (&(&(objectClass=posixGroup)(member=$dn)(|(cn=admin)(cn=committee)))(&(cn=shell)(member=$dn)))
> My guess is that because it's a normal ldap search, that it's not
> possible and that I'm probably going about it the wrong way.

nslcd performs one search for the pam_authz_search option and if any
results are returned it grants access. Since the groups are separate
LDAP entries I think it hard to find a search that does what you want.

-- arthur - - --
To unsubscribe send an email to or see