Re: pam_authz_search, match multiple criteria, is it possible?

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Tim <weirdit [at] gmail.com>
Cc: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: pam_authz_search, match multiple criteria, is it possible?
Date: Sat, 02 Jul 2011 23:46:42 +0200

On Tue, 2011-06-28 at 23:26 +1000, Tim wrote:
> I hoping to restrict login access to a machine based on a number of
> groups. I don't want to filter all these users out as they can still
> have accounts on the machine, they just can't login via pam.

I think it is better to look into using pam_access for something like
this. Perhaps it is possible to make something with pam_autz_search but
it seems much more suitable for something as basic as group membership.

> Is it possible to somehow modify it so it requires the shell group as
> well ether of admin and committee? My attempt is below and didn't
> work.
> pam_authz_search
> (&(&(objectClass=posixGroup)(member=$dn)(|(cn=admin)(cn=committee)))(&(cn=shell)(member=$dn)))
> 
> My guess is that because it's a normal ldap search, that it's not
> possible and that I'm probably going about it the wrong way.

nslcd performs one search for the pam_authz_search option and if any
results are returned it grants access. Since the groups are separate
LDAP entries I think it hard to find a search that does what you want.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

pam_authz_search, match multiple criteria, is it possible?, Tim
- Re: pam_authz_search, match multiple criteria, is it possible?, Arthur de Jong

Prev by Date: Re: [FIX] nslcd 0.7.x and large gidNumbers
Next by Date: support for ldap_compare
Previous by thread: pam_authz_search, match multiple criteria, is it possible?
Next by thread: [FIX] nslcd 0.7.x and large gidNumbers