[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: schema for NSS LDAP with not all accounts active


On Thu, Mar 29, 2001 at 10:19:44PM +1000, Russell Coker wrote:
> On Thursday 29 March 2001 18:08, Alexander Reelsen wrote:
> > On Thu, Mar 29, 2001 at 10:03:39AM +1000, Russell Coker wrote:
> > > So the question is, what attribute should I use?
> > This is the minor question IMHO.
> Not so minor if you want to avoid having your schema break other software you 
> may want to run in future...
Yeah, of course. Having a clean LDAP tree and schema is mandatory.

> > > Another question is, does anyone have any other suggestions for doing
> > > such things?
> > I would like to do this as well. If you authenticate using PAM and wnat to
> > exclude users from using ftpd and ssh, but still give them pop3/imap
> > accounts it would be nice to have such a thing without using pam_listfile.
> > I think the easiest way would be to patch pam_ldap to support some sort of
> > query arg in the /etc/pam.d/service file. Like 'query="popd=allowed"' or
> > similar.
> Why not just make the shell /bin/false for when you want to stop ftp and ssh, 
> and make the shell /bin/true (and put /bin/true in /etc/shells) to allow ftp 
> but not ssh?  This is the traditional method of doing such things and it 
> still works...
That's not clean. And what you do with FTP and IMAP/POP? You don't need to
have a shell for both, but you want to allow only one of those. Of course,
yeah, I could have access lists for each of that service not stored in the
LDAP tree, but looking up always elsewhere is quite a hassle.
Or am I the only one who wants such a feature? That would amaze me...

If there is the possibility to store and lookup some sort of "per-service"
accesslist in the LDAP tree I would prefer that solution compared to the
"hey, let's check what shell the user has" one.

> I've replied to the list because I don't believe you wanted this discussion 
> to be private and I think others on the list will benefit.
No problem. Accidentally hit r instead of "l".

MfG/Regards, Alexander

Alexander Reelsen   http://joker.rhwd.de
ref@linux.com       GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
ar@rhwd.net         7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:    http://joker.rhwd.de/doc/Securing-Debian-HOWTO

Reply to: