Re: [nssldap] restricting users to certain hosts?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] restricting users to certain hosts?
- From: Adam Williams <awilliam [at] mdah.state.ms.us>
- To: "pkoelle [at] gmail.com" <pkoelle [at] gmail.com>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] restricting users to certain hosts?
- Date: Thu, 06 Mar 2008 12:15:02 -0600
pkoelle@gmail.com wrote:
Since you are posting to nssldap, I suppose you want to exploit LDAP
here. You can set:
pam_check_host_attr yes
in your /etc/ldap.conf file (different name on debian based
distros...) and add:
host: arrowhead
host: someotherservername
to the relevant user entries in your directory (it's multivalued).
This is checked in the account pam stack so:
account required pam_ldap.so ignore_unknown_user
ignore_authinfo_unavail
account required padm_unix_acct.so
note the second option to pam_ldap.so, if not set you will be unable
to login as *any* user if the LDAP server is down. My logic tells me
setting this makes you vulnerable to DOS attacks but for our case this
is the lesser of two evils and LDAP is internal (fingers crossed ;)).
read man pam_ldap for the other options too and test that local users
can still login with LDAP down before you ship the server 2000 miles
abroad ;)
cheers
Paul
when I run ldapadd to a user and have host: roark in the ldif, I get:
ldapadd: Object class violation (65)
additional info: attribute 'host' not allowed
and i am loading cosine.schema. have you seen this error before?
- Re: [nssldap] restricting users to certain hosts?, (continued)
