[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: schema for NSS LDAP with not all accounts active

On Thursday 29 March 2001 22:33, Alexander Reelsen wrote:
> > > > Another question is, does anyone have any other suggestions for doing
> > > > such things?
> > >
> > > I would like to do this as well. If you authenticate using PAM and wnat
> > > to exclude users from using ftpd and ssh, but still give them pop3/imap
> > > accounts it would be nice to have such a thing without using
> > > pam_listfile. I think the easiest way would be to patch pam_ldap to
> > > support some sort of query arg in the /etc/pam.d/service file. Like
> > > 'query="popd=allowed"' or similar.
> >
> > Why not just make the shell /bin/false for when you want to stop ftp and
> > ssh, and make the shell /bin/true (and put /bin/true in /etc/shells) to
> > allow ftp but not ssh?  This is the traditional method of doing such
> > things and it still works...
> That's not clean. And what you do with FTP and IMAP/POP? You don't need to
> have a shell for both, but you want to allow only one of those. Of course,
> yeah, I could have access lists for each of that service not stored in the
> LDAP tree, but looking up always elsewhere is quite a hassle.
> Or am I the only one who wants such a feature? That would amaze me...
> If there is the possibility to store and lookup some sort of "per-service"
> accesslist in the LDAP tree I would prefer that solution compared to the
> "hey, let's check what shell the user has" one.

Good point.  The problem is that the NSS interface doesn't allow for such 
things so you would have to use pam_ldap for all authentication (no big deal 
just a minor PITA to change all the /etc/pam.d files and keep them 
maintained).  Then what we need is an option for pam-ldap to specify which 
filter should be used.

http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to: