Re: Filtering with pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Filtering with pam_authz_search
Date: Wed, 04 Jun 2014 19:58:42 +0200

On Wed, 2014-06-04 at 16:33 +0000, Valiere Jean-Christophe wrote:
> I'm trying to filter users with pam_authz_search.
> I've some servers on which some customers have to login and some
> others on which they don't.
[...]
> But when I lookup for users I still see members of group Consulting:
> getent passwd
> cp.xxx:*:10000:10000:cp.xxx:/home/cp.xxx:/bin/bash
> cp.yyy:*:10002:10000:cp.yyy:/home/cp.yyy:/bin/bash
> consulting1:*:10007:10002:Consultant1:/home/consulting1:/bin/bash

The pam_authz_search option is only used for extra authorisation checks,
not for account presence and is only applied after authentication.

If you want to restrict which users are known you are limited to the
base and filter options.

If your LDAP server supports searching on the memberOf attribute of
users, this may be an option, otherwise it will be very difficult.

If the pam_authz_search option does not prevent users from logging in
when it should, you may have an issue in your PAM configuration.

Hope this clarifies things,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Filtering with pam_authz_search, Valiere Jean-Christophe
- Re: Filtering with pam_authz_search, Arthur de Jong

Prev by Date: Filtering with pam_authz_search
Next by Date: TLS_CACERT option in nslcd.conf
Previous by thread: Filtering with pam_authz_search
Next by thread: TLS_CACERT option in nslcd.conf