RSS feed

Re: Filtering with pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Filtering with pam_authz_search

On Wed, 2014-06-04 at 16:33 +0000, Valiere Jean-Christophe wrote:
> I'm trying to filter users with pam_authz_search.
> I've some servers on which some customers have to login and some
> others on which they don't.
> But when I lookup for users I still see members of group Consulting:
> getent passwd
> cp.yyy:*:10002:10000:cp.yyy:/home/cp.yyy:/bin/bash
> consulting1:*:10007:10002:Consultant1:/home/consulting1:/bin/bash

The pam_authz_search option is only used for extra authorisation checks,
not for account presence and is only applied after authentication.

If you want to restrict which users are known you are limited to the
base and filter options.

If your LDAP server supports searching on the memberOf attribute of
users, this may be an option, otherwise it will be very difficult.

If the pam_authz_search option does not prevent users from logging in
when it should, you may have an issue in your PAM configuration.

Hope this clarifies things,

-- arthur - - --
To unsubscribe send an email to or see