[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos+LDAP and pam_filter

On Sun, Oct 07, 2007 at 02:26:50AM +0200, Maximilian Wilhelm wrote:
> Am Saturday, den  6 October hub Roberto C. Sánchez folgendes in die Tasten:
> Hi!
> > Today I just finished switching one of my sites from LDAP-only to
> > Kerberos+LDAP.
> > One thing that I liked about LDAP and pam_ldap was that I could use
> > something like "pam_filter |(host=somehost)(host=\*)" on each host,
> > along with "host=somehost" or "host=*" in each user's LDAP entry.  This
> > allowed me to restrict who could log in to each host.
> > Now that I have switched to using pam_krb53 and am only using LDAP for
> > the location of the home directories and the uid/gid, it doesn't appear
> > that the pam_filter line in libnss-ldap.conf is working.  I also had the
> What exactly have you put into /etc/libnss-ldap.conf?
> I'm using some filters at work which work as expected.
miami:~# grep -v '^#\|^ \|^$' /etc/libnss-ldap.conf
base dc=connexer,dc=com
uri ldaps://santiago.connexer.com/
ldap_version 3
pam_filter |(host=miami)(host=\*)
pam_password exop

> > same line in /etc/pam_ldap.conf, but I have removed all the pam_ldap
> > entries from /etc/pam.d/*.
> > Does anyone know how I might be able to restore that behavior?
> Try something like this:
> nss_base_passwd ou=People,<My BASEE DN>?one?domain=foo
Does that also go in libnss-ldap.conf?  I ask, because in other HOWTSO I
have read, I have seen those lines listed in ldap.conf.  Which, I admit,
is one of the things that confused me.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: