Hi, Thanks for the reply. I found that the pam ldap module does help, like using pam_groupdn to point to a group that contains (in memberuid) the people that I want to have access. The problem with that is that the nss library still sees the entries as valid uids, which I don't want. Is there a similar module config I could use for libnss?
What defines the entries is just a group that I put them into, i.e. I create a group called emailusers and create a memberuid entry in that group for each user that I want to be visible.
On Apr 16, 2010, at 12:49 PM, Andrew Findlay wrote:
On Fri, Apr 16, 2010 at 10:50:08AM -0400, Ken Kleiner wrote:
What I'm trying to do is set up my ldap server so that when a specific host binds using a particular DN, that host only sees specific entries in the ou=People tree, so that getent, id, nss, pam, etc only recognizes those users.
Is this possible? I'm stumped. Thanks.
It is possible, but it may not be the best thing to do... If you want to restrict who can login on each machine then it may be better to use the authorisation facilities of the PAM LDAP module.
In any case, what defines the set of entries to be seen / permitted on each host? There are several ways that you might represent the set: LDAP groups, new attributes etc, and each would have result in different ACLs. I suspect that you do not want to define the set separately for each host, so some sort of group hierachy might be appropriate.
You will find a few examples here: http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
Ken Kleiner System Manager University of Massachusetts Lowell Computer Science Department 978 934 3645