Re: pam_check_host_attr not work on centos7
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: pam_check_host_attr not work on centos7
- From: "Jakub Jindra | Socialbakers a. s." <jakub.jindra [at] socialbakers.com>
- To: Arthur de Jong <arthur [at] arthurdejong.org>
- Cc: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>, 灰色袜子 <19130258 [at] qq.com>
- Subject: Re: pam_check_host_attr not work on centos7
- Date: Wed, 25 May 2016 00:28:32 +0200
I had similar issues with dynlist, If I remember well you have to request some specific attribute type to trigger dynlist overlay. Those host entries aren't stored directly in database datafiles but server returns them as a result of its own search. Try using autogroup overlay instead. It does the same, but it stores those dynamic attributes in datafiles.
On Tue, May 24, 2016 at 10:59 PM, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
On Tue, 2016-05-17 at 18:23 +0800, 灰色袜子 wrote:
> on centos6 I add "pam_check_host_attr yes" at /etc/pam_ldap.conf.
> It work well but on centos7 it's not work well.
Whether /etc/pam_ldap.conf or /etc/nslcd.conf is used depends on which
PAM module is used. The first file is for the original PADL pam_ldap
module, the second is for the PAM module that is part of nss-pam-ldapd.
> I see the man nslcd.conf on centos7 get something about it
> The pam_check_host_attr option can be emulated with:
> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(host=\\*)))
> but still not work for restrict some use to login
>
> I used dynlist to the host attribute of a user like this:
> $ ldapsearch -x -LLL uid=test5
> dn: uid=test5,ou=People,dc=9icaishi,dc=net
[...]
> uid: test5
> host: 10-1-1-142
> host: 10-1-1-151
>
> but when I seach add host filter
> $ ldapsearch -x -LLL "(&(uid=test5)(host=10-1-1-142))"
> there is nothing
This looks like an issue in your LDAP server configuration. Perhaps
some index is messing something up (I'm not too familiar with the
dynlist overlay)?
> how to use pam_authz_search to restrict user login some host not all?
pam_authz_search has a lot of flexibility so perhaps you could do
something like:
(&(objectClass=hostObject)(host=$hostname)(member=$userdn))
assuming the host objects have a member attribute that points to users.
Hope this helps,
--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
Jakub Jindra
System Administrator
Socialbakers (Candytech)
Measuring and managing engagement in social media
a Facebook Preferred Developer Consultant
Mobile: +420 732 114 225
jakub.jindra@socialbakers.com
jakub.jindra@socialbakers.com
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- pam_check_host_attr not work on centos7,
????????
- Re: pam_check_host_attr not work on centos7,
Arthur de Jong
- Re: pam_check_host_attr not work on centos7, Jakub Hrozek
- Re: pam_check_host_attr not work on centos7, Jakub Jindra | Socialbakers a. s.
- Re: pam_check_host_attr not work on centos7,
Arthur de Jong
- Prev by Date: Re: pam_check_host_attr not work on centos7
- Next by Date: Re: Using the initial letter in the home directory
- Previous by thread: Re: pam_check_host_attr not work on centos7
- Next by thread: pam_check_host_attr not work on centos7