Re: nslcd feature request (combined pam_authz_search)
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: nslcd feature request (combined pam_authz_search)
- From: Lior Goikhburg <l.goikhburg [at] bonsport.ru>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: nslcd feature request (combined pam_authz_search)
- Date: Tue, 24 Apr 2012 00:11:25 +0400
Well, I though the ldap search can be specified for a single object (I first search the posixAccount objects and then server object).
I've also made a mistake in the description of the situation:
The idea is that all of the conditions need to return true so the user can be granted access.
The user has to be having the host attribute with the right hostname AND that very host has to be enabled.
So the example config should read:
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
pam_authz_search (&(objectClass=server)(mode=active)(&(hostname=$host)(hostname=$fqdn))
satisfy all
Regards,
I've also made a mistake in the description of the situation:
The idea is that all of the conditions need to return true so the user can be granted access.
The user has to be having the host attribute with the right hostname AND that very host has to be enabled.
So the example config should read:
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
pam_authz_search (&(objectClass=server)(mode=active)(&(hostname=$host)(hostname=$fqdn))
satisfy all
Regards,
On Mon, Apr 23, 2012 at 10:44 PM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
It sounds interesting but I personally don't like the satisfy any syntaxOn Mon, 2012-04-23 at 21:53 +0400, Lior Goikhburg wrote:
> Here is a situation: I need to perform two different searches before
> authenticating a user:
> * a user object should have a attribute "host" set to the $hostname of
> the machine
> * a host object of $hostname shoud have an attribute "mode" set to
> "active"
>
> It would be possible if I could specify more than one pam_authz_search
> parameter in nslcd.conf file.
>
> A possible config block could look like this:
>
> pam_authz_search (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
> pam_authz_search (&(objectClass=server)(mode=active))
> satisfy any
>
> Any thoughts ?
much (Apache ACL's are a bit too complex for my taste).
Anyway, you can already accomplish the above, if it is OK if either of
the searches return any results, with the following:
pam_authz_search (|(&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))(&(objectClass=server)(mode=active)))
Also note that you can use objectClass=$hostname instead of
objectClass=server.
--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- nslcd feature request (combined pam_authz_search),
Lior Goikhburg
- Re: nslcd feature request (combined pam_authz_search),
Arthur de Jong
- Re: nslcd feature request (combined pam_authz_search), Lior Goikhburg
- Re: nslcd feature request (combined pam_authz_search), Arthur de Jong
- Re: nslcd feature request (combined pam_authz_search),
Arthur de Jong
- Prev by Date: Re: nslcd feature request (combined pam_authz_search)
- Next by Date: nss-ldapd-0.6.11 on RedHat
- Previous by thread: Re: nslcd feature request (combined pam_authz_search)
- Next by thread: Re: nslcd feature request (combined pam_authz_search)