And this is clear. This the basic host based authentication using pam-ldap.
From what I know however, it's not possible to set a regex as the value of the host attribute which is my requirement.
See the previous mail with the relevant example about the regex for the hostnames. Am I wrong?
Thank you
Simone
On Oct 29, 2012, at 5:26 PM, anax anax@ayni.com wrote:
if you are using pam-ldap, then its even easier than you think, i.e. its included in pam-ldap:
in the ldap directory create entries like or similar:
uid=ldap-host,ou=People,ou=pam-ldap,dc=mydomain,dc=com cn: ldap-host gidNumber: 102 homeDirectory: /home/ldap-host host: vidigal.mydomain.com loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 11146 shadowMax: 99999 shadowWarning: 7 uid: ldap-host uidNumber: 1038 userPassword: youonlyknowit
where the important attribute is host.
Then, in the ldap.conf file, where you tell pam-ldap, which ldap parameters to use, add the following line:
pam_check_host_attr yes
Then, in the corresponding pam-ldap file, add the following two entries:
account required pam_ldap.so debug account required pam_unix_acct.so
(check to see, if you have the respecitve module installed in your pam-ldap module direcotory).
And then, by magic, users will be allowed only on the specified host, in this case on vidigal.mydomain.com
suomi
On 2012-10-29 13:23, Simone Scremin wrote:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone