RSS feed

Re: nslcd feature request (combined pam_authz_search)

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd feature request (combined pam_authz_search)

Well, I though the ldap search can be specified for a single object (I first search the posixAccount objects and then server object).
I've also made a mistake in the description of the situation:
The idea is that all of the conditions need to return true so the user can be granted access.

The user has to be having the host attribute with the right hostname AND that very host has to be enabled.
So the example config should read:

pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
pam_authz_search (&(objectClass=server)(mode=active)(&(hostname=$host)(hostname=$fqdn))
satisfy all


On Mon, Apr 23, 2012 at 10:44 PM, Arthur de Jong <arthur [at]> wrote:
On Mon, 2012-04-23 at 21:53 +0400, Lior Goikhburg wrote:
> Here is a situation: I need to perform two different searches before
> authenticating a user:
> * a user object should have a attribute "host" set to the $hostname of
> the machine
> * a host object of $hostname shoud have an attribute "mode" set to
> "active"
> It would be possible if I could specify more than one pam_authz_search
> parameter in nslcd.conf file.
> A possible config block could look like this:
> pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
> pam_authz_search (&(objectClass=server)(mode=active))
> satisfy any
> Any thoughts ?

It sounds interesting but I personally don't like the satisfy any syntax
much (Apache ACL's are a bit too complex for my taste).

Anyway, you can already accomplish the above, if it is OK if either of
the searches return any results, with the following:

pam_authz_search (|(&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))(&(objectClass=server)(mode=active)))

Also note that you can use objectClass=$hostname instead of

-- arthur - arthur [at] - --

To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] or see

To unsubscribe send an email to or see