Thanks to everyone on this list that helped with this problem. The answer (as with most answers) was in the documentation:
[from `man nss_ldap`]
nss_base_<map> <basedn?scope?filter> Specify the search base, scope and filter to be used for spe- cific maps.
I created a nss_base_passwd line looking like this:
nss_base_passwd ou=Accountssub?|(uid=user1)(uid=user2)(uid=...
it's dirty, but works until I upgrade to OpenLDAP 2.4 and can use the memberOf= search filter.
This successfully limits the output of getent passwd to just the users I want. It also limits the info that finger gives to just those users.
Hope this helps someone else. -Rex
On Sep 16, 2009, at 1:49 AM, Gavin Henry wrote:
See the dynlist overlay: http://www.openldap.org/doc/admin24/overlays.html
On 15/09/2009, Rex Roof rex@wccnet.edu wrote:
On Sep 15, 2009, at 10:41 AM, Howard Chu wrote:
Rex Roof wrote:
Yes, or a configuration for PAM that limits which users it provides information for.
PAM doesn't return user information at all. This is strictly for nss- ldap. You could also add a filter to nss-ldap's config file. Unfortunately the most straightforward filter (memberOf=<the group DN>) won't work with OpenLDAP's memberof overlay. If your group was actually a dynamic group, then you could use the same filter criteria that the dynamic group uses.
-Rex
From what I can tell, nss_ldap and pam_ldap use the same config file in centos, /etc/ldap.conf. So they both use the same proxy user?
What do you mean by dynamic group? I'm open to changing to some other setup.
-Rex
-- Sent from my mobile device
http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com