Hi All,
I have install openldap to authenticate users on system Unix. So, I use the module pam_ldap / nss_ldap with primitive pam_check_host_attr yes, and I have the attribute host for each person in my LDAP. I want to have 3 levels of authentication :
- First level : a person have numerous attributes « host » so he is able to authenticate on these hosts
- Second level : a person could be able to authenticate on a group of host
- Third level : a person is able to authenticate on all hosts
For the first level, for each host I declare one primitive « host » for my user in openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/fmehault loginShell: /usr/local/bin/sh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: hostObject userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg== host: labobe1 host: labobe2
For the third level, I put just the primitive « host : * »
But I don't know how i could do the second level. I would like something like groupRadiusName, I want to define numerous group with host primitive, and each users can be in one group or plus. The goal is that my user have his host primitive plus the host primitive of his group. Is it possible ?
Thanks for your help,
Regards,
François
openldap-technical@openldap.org