On Sep 15, 2009, at 9:15 AM, Jonathan Clarke wrote:
On 15/09/2009 14:31, Roof,Rex wrote:
> On Sep 14, 2009, at 5:21 PM, Buchan Milne wrote:
>> On Friday, 11 September 2009 16:08:17 Rex Roof wrote:
>>> I have some linux machines that I have configured for student
>>> We are authenticating against our OpenLDAP tree and limiting which
>>> users have access via an LDAP groupOfNames.
>> At the PAM level.
>>> This is all working
>>> This is the problem I am having. Any user with access to the
>>> can run the /usr/bin/finger command and do a name search against
>>> entire LDAP tree. I would like to limit the info available via
>>> finger to just the users that have access to any particular
>> What about the standard user information available via 'getent
>> passwd' ?
>>> How can this be controlled?
>> If you are referring to the same information as in 'getent passwd',
>> your first
>> problem is whether you need the OS to be able to resolve UIDs to
>> usernames for
>> the users who should not have access. After that, worry about (the
>> information via) finger ...
> Yes! 'getent passwd' returns all of the 100,000 entries in my LDAP
> tree, I'd rather it returned the 30 or so users that have access to
> the particular machine plus whatever is in /etc/passwd.
> Is it possible to do this? Perhaps via a PAM configuration?
If I understand correctly, you're enforcing access to this machine by
telling PAM to allow only a given group, presumably via an option in
pam_ldap.conf like "pam_groupdn cn=yourgroupe,dc=etc".
But, NSS (and therefore finger), is still seeing all users in the
directory, and not only the ones from that group?
One solution would be to configure your libnss-ldap to use a binddn to
connect to the LDAP server, and set up ACLs so that that binddn only
access to users from that group.
Could I craft an ACL for my proxy user, "cn=UNIX Auth,ou=Utility", so
that it only has access to objects that are in any group matching the
pattern "cn=machine [^,]+,ou=Group"? (I've made groups for each unix
machine in the form of "cn=machine hostname,ou=group")
Currently the "cn=UNIX Auth,ou=Utility" proxy user is in the group
"cn=authdaemon,ou=group", which I've given read access to most of the