RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control

On Thu, 2012-08-30 at 21:51 +0200, Richard Pijnenburg wrote:
> I'm looking for a way to have fine grained access control for user to
> servers.

With nss-pam-ldapd you can use the pam_authz_search option to specify a
filter for the PAM module. With nss-pam-ldapd 0.8.9 the pam_authz_search
option can be specified multiple times.

You could do something like:

pam_authz_search (&(objectClass=posixGroup)(cn=allowgroup)(memberUid=$uid))
pam_authz_search (&(objectClass=posixAccount)(uid=$username)(host=$hostname))

to require that the user that is logging in is a member of allowgroup
and the user has a host attribute with the value of the current
hostname. See the nslcd.conf manual page for more details.

-- arthur - - --
To unsubscribe send an email to or see