2010/11/19 Phuong Marie VUONG <mangocphung(a)gmail.com>:
First, im sorry about my English. I share here my experience which worked
for limit acces host/group of host for user...
In the configuration of ldap client /etc/ldap.conf , i have activate the
host attribute and a filter in nss_base_passwd
In the user entry, add the host attribute
And in the host set, you can put the pattern value correpond of the level
that you want to authorize to connect , for exe :
Hope that can help
2010/11/19 c0re <nr1c0re(a)gmail.com>
> can you give an example of usage pam_check_host_attr?
> And how can I use group of hosts and assign user to this group to
> permit access user to this group avoiding enumerating hosts in users
> dn each time I add new user?
> What should I set in "host:"? Hostname of server? How host attr are
> sent to pam_ldap?
> 2010/11/18 Aaron Richton <richton(a)nbcs.rutgers.edu>:
> > On Thu, 18 Nov 2010, c0re wrote:
> >> I mean user user1 can must login only on server1,server2 and server3.
> >> And user2 can login only on server5 and server2.
> > You could probably overload almost anything (dyngroups, OpenLDAP ACLs,
> > search filters, who knows) to accomplish this, but the cleanest way to
> > do
> > this in pam_ldap would utilize pam_check_host_attr. I assume pam_ldap
> > because you mentioned "pam_groupdn" which is not an OpenLDAP
> > configuration
> > directive.
I moved a bit different way.
I used pam_groupdn in ldap.conf and created a group for each server.
Now if I add user to ldap, I need to add to groups "memberUid:
`userdn`". And user will be able to login to those servers in which
groups is user as a member.
But if I got 100-200 servers and want to give access to new user to
all this servers, I should add user to all groups. Of course it's a
waste of time and it's possible to be done via some external
shell/perl script, but may be there another way in openldap?
pam_check_host_attr do almost same. If I add user - I need to add all
hosts to user attr "host:". So it's same work I think.