Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Fine grained access control
Date: Thu, 30 Aug 2012 23:25:13 +0200

On Thu, 2012-08-30 at 21:51 +0200, Richard Pijnenburg wrote:
> I'm looking for a way to have fine grained access control for user to
> servers.

With nss-pam-ldapd you can use the pam_authz_search option to specify a
filter for the PAM module. With nss-pam-ldapd 0.8.9 the pam_authz_search
option can be specified multiple times.

You could do something like:

pam_authz_search (&(objectClass=posixGroup)(cn=allowgroup)(memberUid=$uid))
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=$hostname))

to require that the user that is logging in is a member of allowgroup
and the user has a host attribute with the value of the current
hostname. See the nslcd.conf manual page for more details.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Fine grained access control, Richard Pijnenburg
- Re: Fine grained access control, Arthur de Jong

Prev by Date: Fine grained access control
Next by Date: Re: reverse lookup
Previous by thread: Fine grained access control
Next by thread: Re: Fine grained access control