On Mon, May 11, 2009 at 11:35:14PM +0100, Michael Marti wrote: > Dear list members > > I am not sure if this is an Debian or ldap / pam issue. Please forgive > me if this is not the appropriate list to post. > > I am trying to restrict access to our hosts by setting pam_groupdn and > pam_member_attribute in /etc/pam_ldap.conf. I do my in the filter command filter passwd (&(objectClass=posixAccount)(|(host=max.lan1.hme1.samad.com.au)(|(host=hme1.samad.com.au)(host=samad.com.au)))) and I set the host attribute as needed this is my common-auth auth [success=1 default=ignore] pam_unix2.so auth required pam_ldap.so use_first_pass auth required pam_permit.so one thing to check is getent passwd | sort look for the userid and see if it pops up twice > [snip] > I am quite convinced that I am just missing something: > - Is there a way to restrict access for a certain group for ldap users > while /etc/passwd users have unrestricted access? > - In case pam_groupdn is not the way to go, can you recommend an > alternative? > - Right now I am using a custom ldap attribute called authorization and a > pam ldap search filter of "pam_filter authorization=host.golpweb". This > works, but is this a good approach? each to there own I guess, I can't remember why i did it this way, I have it setup on multiple machines this way for some reason that i can remember - it works > > Your comments are appreciated! > > Best regards, > Michael Marti. > > > > > > > > > > > > -- Mustrum Ridcully did a lot for rare species. For one thing, he kept them rare. (Lords and Ladies)
Attachment:
signature.asc
Description: Digital signature