RSS feed

Re: pam_check_host_attr not work on centos7

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: pam_check_host_attr not work on centos7

On Tue, 2016-05-17 at 18:23 +0800, 灰色袜子 wrote:
> on centos6 I add "pam_check_host_attr yes" at /etc/pam_ldap.conf.
> It work well but on centos7 it's not work well.

Whether /etc/pam_ldap.conf or /etc/nslcd.conf is used depends on which
PAM module is used. The first file is for the original PADL pam_ldap
module, the second is for the PAM module that is part of nss-pam-ldapd.

> I see the man nslcd.conf on centos7 get something about it
> The pam_check_host_attr option can be emulated with:
> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
> but still not work for restrict some use to login
> I used dynlist to the host attribute of a user like this:
> $ ldapsearch -x -LLL uid=test5
> dn: uid=test5,ou=People,dc=9icaishi,dc=net
> uid: test5
> host: 10-1-1-142
> host: 10-1-1-151
> but when I seach add host filter
> $ ldapsearch -x -LLL "(&(uid=test5)(host=10-1-1-142))"
> there is nothing 

This looks like an issue in your LDAP server configuration. Perhaps
some index is messing something up (I'm not too familiar with the
dynlist overlay)? 

> how to use pam_authz_search to restrict user login some host not all?

pam_authz_search has a lot of flexibility so perhaps you could do
something like:


assuming the host objects have a member attribute that points to users.

Hope this helps,

-- arthur - - --
To unsubscribe send an email to or see