Re: [nssldap] restricting users to certain hosts?
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] restricting users to certain hosts?
- From: Buchan Milne <bgmilne [at] mandriva.org>
- To: Adam Williams <awilliam [at] mdah.state.ms.us>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] restricting users to certain hosts?
- Date: Fri, 7 Mar 2008 16:46:10 +0200
On Thursday 06 March 2008 20:15:02 Adam Williams wrote:
> pkoelle@gmail.com wrote:
> > Since you are posting to nssldap, I suppose you want to exploit LDAP
> > here. You can set:
> >
> > pam_check_host_attr yes
> >
> > in your /etc/ldap.conf file (different name on debian based
> > distros...) and add:
> >
> > host: arrowhead
> > host: someotherservername
> >
> > to the relevant user entries in your directory (it's multivalued).
> > This is checked in the account pam stack so:
> >
> > account required pam_ldap.so ignore_unknown_user
> > ignore_authinfo_unavail
> > account required padm_unix_acct.so
> >
> > note the second option to pam_ldap.so, if not set you will be unable
> > to login as *any* user if the LDAP server is down. My logic tells me
> > setting this makes you vulnerable to DOS attacks but for our case this
> > is the lesser of two evils and LDAP is internal (fingers crossed ;)).
> >
> > read man pam_ldap for the other options too and test that local users
> > can still login with LDAP down before you ship the server 2000 miles
> > abroad ;)
> >
> > cheers
> > Paul
>
> when I run ldapadd to a user and have host: roark in the ldif, I get:
>
> ldapadd: Object class violation (65)
> additional info: attribute 'host' not allowed
>
> and i am loading cosine.schema. have you seen this error before?
Add the auxiliary hostObject objectclass, from ldapns.schema, shipped with
pam_ldap.
Regards,
Buchan
- Re: [nssldap] restricting users to certain hosts?, (continued)
RE: [nssldap] restricting users to certain hosts?,
Denis Melnikov