Vince Rafale wrote:
Howard Chu wrote :
> Buchan Milne wrote:
>> On Sunday 26 April 2009 14:34:00 Vince Rafale wrote:
>>> Hi list,
>>>
>>> I would like to know whether anybody has succeeded in using the
>>> memberof
>>> overlay for others attributes.
>>> I would like a user entry (specifically the host attribute) to be
>>> populated when a user is added to a posixGroup. Let's say this
>>> posixGroup contains a "hostOfGroup" attribute.
>>>
>>> Is it feasible? Or do I need to code my own overlay for that purpose?
>>> If writing an overlay is not needed, is there an esaier way to do that?
>>
>> Sounds like there may be other solutions to your real problem ... e.g.
>> pam_listfile with item=group sense=allow
>
> Or use the PAM support in the nssov overlay. Setting a user's host
> attribute to control logins is ridiculous...
>
Ok for that overlay. Have you got any tutorial on the use of that overlay?
If not, could you please provide some more details on the configuration
for that overlay that could suit my need?
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/nssov/slap...
The relevant point is to create ipHost entries for each host that you want to
control logins on, and set the authorizedService attribute to the set of PAM
services you want to allow (e.g., login, sshd, gdm, whatever). Then set ACLs
on the authorizedService attribute - this will then control what users the
nssov overlay allows to login to the given service on a given host. This gives
you the full power of the slapd ACL engine, instead of just the 2-3 limited
options that the old pam_ldap module provides.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/