lists.arthurdejong.org
RSS feed

per-PAM profile basedn

[Date Prev][Date Next] [Thread Prev][Thread Next]

per-PAM profile basedn



I have a kiosk farm.  A handful of kiosks run a staff SOE, and the
rest run an inmate SOE.

In nslcd.conf I set basedn to ou=staff,... on the former, and
ou=inmates,... on the latter -- so there's *no way* for the wrong kind
of user to authenticate at all, because PAM and NSS can't even see
their user object.

And that has been working so well, I got rid of the old way -- putting
all the inmates in an "inmates" group and requiring users be in it:

    auth required pam_listfile.so item=group sense=allow 
file=/etc/inmate-groups onerr=fail

The problem I just ran into is, on the *server*, some processes need
to be limited to inmates, some to staff, and some need to allow
everybody.

Is there a pam module that can say something like "require the
authenticating user's dn be within this basedn?"

Is there some other clever approach?

The server is still running Ubuntu 10.04 and PADL pam/nss-ldap for
now, and I *think* I only really to work around bugs in dovecot1 --
which goes away when I upgrade to Debian stable.  So this problem
*might* go away by the time I can actually use nss-pam-ldapd. I'm
still interested in feedback, tho.

Plan A is to have dovecot1 talk to LDAP directly (not via NSS/PAM),
which is working apart from
http://wiki1.dovecot.org/Authentication/MasterUsers

Plan B is to try PADL pam_ldap.so's config=<path> option to have
different ldap.conf's with different basedn's, but the manpage
explicitly warns against using multiple ldap.conf's.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/