Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides information for.
PAM doesn't return user information at all. This is strictly for nss-ldap. You could also add a filter to nss-ldap's config file. Unfortunately the most straightforward filter (memberOf=<the group DN>) won't work with OpenLDAP's memberof overlay. If your group was actually a dynamic group, then you could use the same filter criteria that the dynamic group uses.
-Rex
On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:
Brett @Google wrote:
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof<rex@wccnet.edu mailto:rex@wccnet.edu> wrote:
I have some linux machines that I have configured for student access. We are authenticating against our OpenLDAP tree and limiting which users have access via an LDAP groupOfNames. Thisis all working perfectly.
This is the problem I am having. Any user with access to the system can run the /usr/bin/finger command and do a name search against our entire LDAP tree. I would like to limit the info available via finger to just the users that have access to any particular machine. How can this be controlled?This sounds more like a firewall / iptables issue to your finger server than anything else ?
No, doesn't sound like that to me.
Essentially he wants an ACL that grants access to nss-ldap searches based on the target entries belonging to a group associated with a particular peeraddr. But at the moment, I can't think of any mechanism to do this in the current ACL engine.