Re: [nssldap] Using nss_base filters
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Using nss_base filters
- From: Prentice Bisbal <prentice [at] ias.edu>
- To: nssldap [at] padl.com
- Subject: Re: [nssldap] Using nss_base filters
- Date: Fri, 16 Apr 2010 17:01:25 -0400
This raises the question I was thinking all along:
What are you trying to accomplish? Are you trying to prevent people
doing searches from seeing those other entries, are you trying to
restrict access to a system?
Those other entries can still be visible while still restricting access
to a system to only certain groups.
If you're using PAM with pam_ldap, you can add the host attribute to a
user account to restrict access to only certain systems. From
/etc/ldap.conf on a RHEL 5.5 system:
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
--
Prentice
Douglas E. Engert wrote:
>
>
> Ken Kleiner wrote:
>> Hi, I have set up a ldap posix group and have put members into it by
>> including their username in memberuid fields. This works fine from a
>> group perspective.
>>
>> What I'm trying to do is to configure one of our systems using
>> nss_ldap and pam with ldap auth so that only users in that group can
>> be looked up (with id, getent passwd, etc). Then I'd like to
>> authenticate them if so, so I think I can
>> use pamgroup_dn for that.
>
> Have you looked at using netgroups with the /etc/passwd?
> You can add something like this to the end of the /etc/passwrd file:
> +@group-of-users
> Which can then control access to this system based on the netgroup.
>
>
>>
>> Is that what I use nss_base_passwd for? I can't figure out the syntax.
>> Trying
>>
>> nss_base_passwd ou=People,dc=my,dc=domain?one?gidNumber=12345
>>
>> doesn't work as expected - that only lists users whose primary group
>> id is 12345, not those who are IN group 12345.
>>
>> Any help is appreciated. Thanks.
>>
>
--
Prentice