On Mon, Nov 21, 2011 at 3:39 PM, Jayavant Patil jayavant.patil82@gmail.comwrote:
Mon, Nov 21, 2011 at 1:34 PM Buchan Milne bgmilne@staff.telkomsa.net
wrote:
One method would be to add the hostObject objectclass, from ldapns.schema (shipped with pam_ldap source), and add a host attribute with the
'hostname'
of the host for each host the user should be allowed to log in to, and
set
'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').
Of course, this depends on which pam module you are using, and there are
other
options.
I tried by installing pam_ldap module and configuring ldap.conf filebut still allowing access to the hosts not mentioned in host attribute. All the user information is available on the client node not specified in the host attribute of that user (checked by firing $getent passwd) .
What is desired is on such client (not specified in host attribute of<user-name>) nodes, $su <user-name> should show *su: <user-name> does not exist*.
Which of the services in /etc/pam.d need to be modified for properuser authorization?
Regards, Buchan
--
Thanks & Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.
Hi,
I got the desired solution. Thanks Buchan !!!
My next query is as follows:
Suppose we have 1000 hosts and we want to give 'user1' access to 999 hosts (with 1 restricted host). Then, in such case, we need to specify all 999 permitted host names in .ldif file.
There are wildcards like '*' stands for all hosts and '!' stands for excluding host. e.g.
1. host: * will allow access to all client nodes.
2. host: !n1000 will not allow access to n1000 client node.
In the above mentioned scenario, when I specify the following it doesn't work:
host: * host: !n1000
It will allow access to all 1000 hosts.
when I specify the following:
host: *,!n1000
It is restricting access to all 1000 hosts.
Does anybody know how to use these wildcards(*,!) to get the desired solution?