Mon, Nov 21, 2011 at 1:34 PM Buchan Milne bgmilne@staff.telkomsa.net
wrote:
One method would be to add the hostObject objectclass, from ldapns.schema (shipped with pam_ldap source), and add a host attribute with the
'hostname'
of the host for each host the user should be allowed to log in to, and set 'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').
Of course, this depends on which pam module you are using, and there are
other
options.
I tried by installing pam_ldap module and configuring ldap.conf file but still allowing access to the hosts not mentioned in host attribute. All the user information is available on the client node not specified in the host attribute of that user (checked by firing $getent passwd) .
What is desired is on such client (not specified in host attribute of <user-name>) nodes, $su <user-name> should show *su: <user-name> does not exist*.
Which of the services in /etc/pam.d need to be modified for proper user authorization?
Regards, Buchan