Re: [nssldap] Using nss_base filters
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Using nss_base filters
- From: Aaron Turner <synfinatic [at] gmail.com>
- To: Ken Kleiner <ken [at] cs.uml.edu>
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Using nss_base filters
- Date: Thu, 15 Apr 2010 15:22:48 -0700
On Thu, Apr 15, 2010 at 2:01 PM, Ken Kleiner <ken@cs.uml.edu> wrote:
> Hi, I have set up a ldap posix group and have put members into it by
> including their username in memberuid fields. This works fine from a group
> perspective.
>
> What I'm trying to do is to configure one of our systems using nss_ldap and
> pam with ldap auth so that only users in that group can be looked up (with
> id, getent passwd, etc). Then I'd like to authenticate them if so, so I
> think I can
> use pamgroup_dn for that.
>
> Is that what I use nss_base_passwd for? I can't figure out the syntax.
>
> Trying
>
> nss_base_passwd ou=People,dc=my,dc=domain?one?gidNumber=12345
>
> doesn't work as expected - that only lists users whose primary group id is
> 12345, not those who are IN group 12345.
>
> Any help is appreciated. Thanks.
I don't think you can write a single LDAP filter to do what you need.
The only way I can think of doing it is ugly and a hack:
create a dedicated user for your system(s) to bind with
limit which users/groups that user can see using the LDAP server's
security restrictions
The easier way to do this is put the users/groups in their own branch
in the LDAP tree and set the search base accordingly, but that assumes
your LDAP server isn't being used for other purposes.
Hopefully someone with some decent LDAP-filter-fu has a better solution.
--
Aaron Turner
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
-- Benjamin Franklin
"carpe diem quam minimum credula postero"
