Re: [nssldap] Using nss_base filters

[Prentice Bisbal <prentice [at] ias.edu>]

This raises the question I was thinking all along:

What are you trying to accomplish? Are you trying to prevent people
doing searches from seeing those other entries, are you trying to
restrict access to a system?

Those other entries can still be visible while still restricting access
to a system to only certain groups.

If you're using PAM with pam_ldap, you can add the host attribute to a
user account to restrict access to only certain systems. From
/etc/ldap.conf on a RHEL 5.5 system:

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

--
Prentice


Douglas E. Engert wrote:
> 
> 
> Ken Kleiner wrote:
>> Hi,  I have set up a ldap posix group and have put members into it by
>> including their username in memberuid fields.  This works fine from a
>> group perspective.
>>
>> What I'm trying to do is to configure one of our systems using
>> nss_ldap and pam with ldap auth so that only users in that group can
>> be looked up (with id, getent passwd, etc).  Then I'd like to
>> authenticate them if so, so I think I can
>> use pamgroup_dn for that.  
> 
> Have you looked at using netgroups with the /etc/passwd?
> You can add something like this to the end of the /etc/passwrd file:
> +@group-of-users
> Which can then control access to this system based on the netgroup.
> 
> 
>>
>> Is that what I use nss_base_passwd for?  I can't figure out the syntax. 
>> Trying
>>
>> nss_base_passwd  ou=People,dc=my,dc=domain?one?gidNumber=12345
>>
>> doesn't work as expected  - that only lists users whose primary group
>> id is 12345, not those who are IN group 12345.
>>
>> Any help is appreciated.  Thanks.
>>

> 

-- 
Prentice