if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
in the ldap directory create entries like or similar:
uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com cn: ldap-host gidNumber: 102 homeDirectory: /home/ldap-host host: vidigal.mydomain.com loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11146 shadowMax: 99999 shadowWarning: 7 uid: ldap-host uidNumber: 1038 userPassword: youonlyknowit
where the important attribute is host.
Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
pam_check_host_attr yes
Then, in the corresponding pam-ldap file, add the following two entries:
account required pam_ldap.so debug account required pam_unix_acct.so
(check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
suomi
On 2012-10-29 13:23, Simone Scremin wrote:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone