Hi All,


I have install openldap to authenticate users on system Unix. So, I use the module pam_ldap / nss_ldap with primitive pam_check_host_attr yes, and I have the attribute host for each person in my LDAP. I want to have 3 levels of authentication :

-          First level : a person have numerous attributes « host » so he is able to authenticate on these hosts

-          Second level : a person could be able to authenticate on a group of host

-          Third level : a person is able to authenticate on all hosts


For the first level, for each host I declare one primitive « host » for my user in  openldap :


dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr

givenName:: RnJhbsOnb2lz


uid: fmehault

cn: Francois MEHAULT

homeDirectory: /home/fmehault

loginShell: /usr/local/bin/sh

gidNumber: 1203

uidNumber: 1203

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: hostObject

userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==

host: labobe1

host: labobe2



For the third level, I put just the primitive « host : * »


But I don’t know how i could do the second level.  I would like something like groupRadiusName, I want to define numerous group with host primitive, and each users can be in one group or plus.

The goal is that my user have his host primitive plus the host primitive of his group. Is it possible ?


Thanks for your help,