Yes, or a configuration for PAM that limits which users it provides information for.
-Rex
On Sep 12, 2009, at 9:17 PM, Howard Chu wrote:
Brett @Google wrote:
On Sat, Sep 12, 2009 at 1:08 AM, Rex Roof <rex@wccnet.edu mailto:rex@wccnet.edu> wrote:
I have some linux machines that I have configured for student access. We are authenticating against our OpenLDAP tree and limiting which users have access via an LDAP groupOfNames. This is all working perfectly.
This is the problem I am having. Any user with access to the system can run the /usr/bin/finger command and do a name search against our entire LDAP tree. I would like to limit the info available via finger to just the users that have access to any particular machine. How can this be controlled?
This sounds more like a firewall / iptables issue to your finger server than anything else ?
No, doesn't sound like that to me.
Essentially he wants an ACL that grants access to nss-ldap searches based on the target entries belonging to a group associated with a particular peeraddr. But at the moment, I can't think of any mechanism to do this in the current ACL engine.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/