RSS feed

per-PAM profile basedn

[Date Prev][Date Next] [Thread Prev][Thread Next]

per-PAM profile basedn

I have a kiosk farm.  A handful of kiosks run a staff SOE, and the
rest run an inmate SOE.

In nslcd.conf I set basedn to ou=staff,... on the former, and
ou=inmates,... on the latter -- so there's *no way* for the wrong kind
of user to authenticate at all, because PAM and NSS can't even see
their user object.

And that has been working so well, I got rid of the old way -- putting
all the inmates in an "inmates" group and requiring users be in it:

    auth required item=group sense=allow 
file=/etc/inmate-groups onerr=fail

The problem I just ran into is, on the *server*, some processes need
to be limited to inmates, some to staff, and some need to allow

Is there a pam module that can say something like "require the
authenticating user's dn be within this basedn?"

Is there some other clever approach?

The server is still running Ubuntu 10.04 and PADL pam/nss-ldap for
now, and I *think* I only really to work around bugs in dovecot1 --
which goes away when I upgrade to Debian stable.  So this problem
*might* go away by the time I can actually use nss-pam-ldapd. I'm
still interested in feedback, tho.

Plan A is to have dovecot1 talk to LDAP directly (not via NSS/PAM),
which is working apart from

Plan B is to try PADL's config=<path> option to have
different ldap.conf's with different basedn's, but the manpage
explicitly warns against using multiple ldap.conf's.

To unsubscribe send an email to or see