Re: filter passwd for users based on group memebership

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: Lucas Holt <lholt [at] umich.edu>, nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: filter passwd for users based on group memebership
Date: Sat, 04 Mar 2017 16:54:27 +0100

On Fri, 2017-03-03 at 13:28 -0500, Lucas Holt wrote:
> We have a situation where we want to filter users based on group
> membership but the memberOf feature is not turned on for user records
> in the LDAP server.  We don't control the LDAP server and can't get
> this feature turned on.  Is there any way to write a filter for the
> nslcd.conf file that can successfully do this?

The pam_authz_search option can be used to search for groups the user
is a member of to achieve this. The most common use case is probably to
search for the user and check for attributes but you could also do
something like

pam_authz_search
(&(objectClass=posixGroup)(cn=somegroupname)(memberUid=$uid))

or

pam_authz_search (&(objectClass=posixGroup)(cn=somegroupname)(member=$dn))

to see if a user is in a specific group.

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

filter passwd for users based on group memebership, Lucas Holt
- Re: filter passwd for users based on group memebership, Arthur de Jong

Prev by Date: filter passwd for users based on group memebership
Next by Date: ldap authentication on alpine
Previous by thread: filter passwd for users based on group memebership
Next by thread: ldap authentication on alpine