Hi Howard.
Thanks for the advice, I noticed that it works on some systems, I have
some old rhel4.8 ( lots of them ) where is not working, but with new
centos 6.x it works fine and eventhough I specify it's IP only and
not the FQDN, on the other hand did not know about the nssov overlay,
I'll take a look, and I'll keep researching the issue on the old
systems with openldap-2.2.13-7.4E , openldap-clients-2.2.13-7.4E and
nss_ldap-226-18.
Thank you very much for your time and support
Regards.
2013/12/23, Howard Chu <hyc(a)symas.com>:
Net Warrior wrote:
> Hi French
>
> No tcp_wrapper behaviour, just found that article and I'm trying to
> make it work as well, maybe I missundertood what the host attribute
> really is for or the article is wrong or I'm doing something wrong, at
> least in the logs I can see the pam_check_host is being evaluated.
all of this pam_ldap stuff is obsolete. nssov implements much finer grained
authorization.
>
> slapd[20810]: conn=5374 op=4 MOD attr=host
>
> Thanks for your time and support.
> Regard
>
> 2013/12/23, Warron S French <Warron.S.French(a)aero.org>:
>> Low Sensitivity/Aerospace Internal Use Only
>>
>> NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but
>> implement it through LDAP?
>>
>>
>>
>>
>> Warron French, MBA, SCSA
>>
>>
>> ----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42
>> AM
>> -----
>>
>> From: Net Warrior <netwarrior863(a)gmail.com>
>> To: openldap-technical <openldap-technical(a)openldap.org>,
>> Date: 12/23/2013 07:36 AM
>> Subject: host Attribute
>> Sent by: openldap-technical-bounces(a)OpenLDAP.org
>>
>>
>>
>> Hi guys.
>> I'm trying to restric some user to login to some server, googling
>> around I found that some things can be donde with the host attribute,
>> this is what I got.
>>
>> A user with host attribute and and a FQDN server on it
>>
server.comap.com , the pam_check_host_attr set to yes in the client
>> configuration ( pam_ldap.conf / ldap.conf ), If I understand well the
>> user can now login to that server, in my tests I can confirm that,
>> what I notice is that the user can loging to all the other servers in
>> the farm whaterver I set to the host attribute
>>
>> I read this article as a reference:
>> thornelabs dot net
>>
/documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html
>>
>> Please, can someone shed some light on this or clarify what I'm trying
>> to to is correct or wrong?
>>
>> Thanks for your time and support
>> Regards
>>
>>
>>
>> Low Sensitivity/Aerospace Internal Use Only
>
>
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/