OK. So, I don't normally make it a habit of replying to 14 month old emails, but I just recently figured this out, so I thought I'd comment for the benefit of people searching for the solution. On Sat, Aug 06, 2005 at 12:38:42PM +0200, Jean-Yves Migeon wrote: > Hi all :) > > Currently migrating an old debian system (NIS, samba2 and a couple of > other services), to a new machine mainly configured around LDAP, I > needed some sort of access restriction, mainly to deny access to > particular group of users on certain clients/servers. > > So, I created defined groups of users (like admins, printer-admins, and > so on) in ldap, and decided to restrict their access using the > pam_groupdn attribute in /etc/pam_ldap.conf file. > > However, it doesn't seem to work as intended. > I recently setup LDAP and also wanted to restrict which users could login to certain hosts. So, what I did was use the host field in LDAP. So, my main workstation is miami and if I want a particular user to be able to login to miami, I add a field "host: miami" to the LDAP entry for that user. If I want a user to be able to log in to any host which authenticates against the directory, then I just put "host: *" for that user. Once that is done, placing the following line in /etc/libnss-ldap.conf and /etc/pam_ldap.conf made it work: pam_filter |(host=miami)(host=\*) This works if you do not have too many hosts. If you have many, say at a university with many computer labs, then this could get very annoying very quickly. In that case, you can probably add "host: lab1group" and then put something like this: pam_filter |(host=hostname1)(host=lab1group)(host=\*) Note, I have not tested this last setup, but it should work. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature