--On Monday, November 21, 2011 12:05:18 PM +0530 Jayavant Patil jayavant.patil82@gmail.com wrote:
Hi,
I want to restrict login access to some selected client nodes (by default, openldap allows user access to all client nodes).
OpenLDAP alone does not restrict login access to nodes. It can be configured to hold information used by other software to restrict access to nodes. Generally pam_ldap or pam-ldapd is used to control access to individual nodes. Both packages have documentation and well commented configuration files. You should look at there first.
I have googled for this, tried many different configurations like host attribute,hostObject class etc. but failed to get the required.
Okay, it is still unclear what you have tried. You mean you populated your directory with some data. That is fine, but it is not the OpenLDAP LDAP server that will restrict access. Rather, if you configure your PAM stack correctly it will read the information that you have stored in the directory and use that to control access to your systems.
Note, there are many controls that you can use to get to where you want. For example, you can configure the ACLs on your LDAP server to not release information to some hosts using IP based access control entries. Or you can put your users in a group in the directory and configure pam_ldap to only allow members of the group to login. There are lots of other possible configurations depending on what you works best for you.
Bill
P.S. Top posting makes message streams like this a lot harder to read.
On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister whm@stanford.edu wrote:
--On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil < jayavant.patil82@gmail.com> wrote:
Hi,
I am using openldap-2.4.19-4 on fedora 12 machine. My question is as follows:
How to restrict a user access to some client nodes?
Please, explain in detail.
It is not clear what you want to do. You need to provide more details before you will get the answer that you want.
For example, if you just want to restrict access to the directory from some nodes, why not use iptables.
If you are talking about restricting login access to some linux nodes using PAM, this is probably a better question for a PAM list. Of course, there will be folks on this list that can answer that question as well, but not without knowing what you are storing in your directory.
Bill
--
Bill MacAllister Infrastructure Delivery Group, Stanford University