Hi Dan,
that trick would work in particular cases, but not sure that it would scale in a large number of lively machines environnement : suppose you want to change ACL for a particular server without changing its name ?
Intutively, I would rather opt for host group management (posix or group of) within ldap ?
Still, issue of which container remains.
--- Olivier
2012/10/29 Dan White dwhite@olp.net:
On 10/29/12 09:38 -0500, Dan White wrote:
On 10/29/12 13:23 +0100, Simone Scremin wrote:
Hi all,
I'm in the process of learning the OpenLDAP authentication mechanics.
I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Assuming that you will be using a PAM module on each host, the answer to that question will depend on which PAM module you choose, and what configuration it supports.
If that module supports placing a filter within the PAM configuration, then 'host=sys0*pr*' should work.
Or, if you wish to literally store 'sys0*pr*' within your host entry in ldap, your filter could be:
host=sys0*pr*
-- Dan White