Re: Revisiting Map limit to map base option
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Revisiting Map limit to map base option
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Revisiting Map limit to map base option
- Date: Sat, 12 Oct 2013 15:45:35 +0200
On Tue, 2013-10-08 at 18:34 +0530, Ashutosh Mahajan wrote:
> All users in the IEOR group should be allowed. 9 users from ME group
> also should be allowed, but no one else from ME should be allowed. So
> we had
>
> base ou=IEOR,ou=People,dc=iitb,dc=ac,dc=in
> base uid=user1,ou=fac,ou=ME,ou=People,dc=iitb,dc=ac,dc=in
> base uid=user2,ou=fac,ou=ME,ou=People,dc=iitb,dc=ac,dc=in
> base uid=user3,ou=fac,ou=ME,ou=People,dc=iitb,dc=ac,dc=in
> ...
> base uid=user10,ou=fac,ou=ME,ou=People,dc=iitb,dc=ac,dc=in
>
> But the limit of 7 got exceeded. Can we get around this situation
> using some trick? involving pam_authz_search for instance?
You could give users an extra attribute in the directory and use that to
determine access. The pam_authz_search option in the manual page has
some examples of this (host or authorizedService attribute).
The difference between using bas and using pam_authz_search is that all
users would exist on the system but only users matching pam_authz_search
can log in.
Kind regards,
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
