Hi Olivier, thanks for the fast answer. I'm looking at pam_ldap component and I already saw the host based authentication that enables to list hostnames on the server per user. Your idea, if I'm not mistaken, would be to specify this host parameter as some kind of LDAP data structure (ie: groupOfNames) and have the authentication mechanism match on that structure. I'm looking at groupOfNames and it's not clear to me if it can really be used for that purpose but the most obscure point is where the logic for the matching should go. I'm really open to any input on this subject whether it is some example of already implemented solutions or just some direction on how to go forward with the development.
Thank you
Simone
On Oct 29, 2012, at 2:40 PM, Olivier ldap@guillard.nom.fr wrote:
---Previous mail sent accidently before ending (sorry for doublon)---
Feasable it is (there different ways to do that).
BTW, I'm also interested to gather some input on that topic.
@simone : I suggest that you look at pam mecanisms : http://www.padl.com/OSS/pam_ldap.html And more specifically at the access.conf syntax.
You may be interested in : Hosts, posix groups, group of names and netgroups
@list : I would appreciate some input from others about the best way to store hosts in ldap for this kind of usage :
Which container to use for hosts (structural class account? device ? ... ) How to deal with groups of hosts : groupOfNames ? posixGroup ? Any advice ?
Thanks,
2012/10/29 Simone Scremin simone.scremin@gmail.com:
Hi all, I'm in the process of learning the OpenLDAP authentication mechanics. I'd need to know what is the best way to configure an host based authentication system that allow to configure a per-user rule to include a group of host to which the user is allowed to login.
In example:
user Bob needs to authenticate on systems:
sys01pra sys02pre sys03pra sys03pre
some configuration on the LDAP server enable this hostnames for Bob with a regular expression like:
sys0*pr*
Is it feasable?
Thanks
Simone