Low Sensitivity/Aerospace Internal Use Only NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but implement it through LDAP? Warron French, MBA, SCSA ----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 AM ----- From: Net Warrior <netwarrior863(a)gmail.com&gt; To: openldap-technical <openldap-technical(a)openldap.org&gt;, Date: 12/23/2013 07:36 AM Subject: host Attribute Sent by: openldap-technical-bounces(a)OpenLDAP.org Hi guys. I'm trying to restric some user to login to some server, googling around I found that some things can be donde with the host attribute, this is what I got. A user with host attribute and and a FQDN server on it server.comap.com , the pam_check_host_attr set to yes in the client configuration ( pam_ldap.conf / ldap.conf ), If I understand well the user can now login to that server, in my tests I can confirm that, what I notice is that the user can loging to all the other servers in the farm whaterver I set to the host attribute I read this article as a reference: thornelabs dot net /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html Please, can someone shed some light on this or clarify what I'm trying to to is correct or wrong? Thanks for your time and support Regards Low Sensitivity/Aerospace Internal Use Only

Net Warrior wrote: > Hi French > > No tcp_wrapper behaviour, just found that article and I'm trying to > make it work as well, maybe I missundertood what the host attribute > really is for or the article is wrong or I'm doing something wrong, at > least in the logs I can see the pam_check_host is being evaluated. all of this pam_ldap stuff is obsolete. nssov implements much finer grained authorization. > > slapd[20810]: conn=5374 op=4 MOD attr=host > > Thanks for your time and support. > Regard > > 2013/12/23, Warron S French <Warron.S.French(a)aero.org&gt;: >> Low Sensitivity/Aerospace Internal Use Only >> >> NetWarrior, are you attempting to apply a TCP_Wrappers like behavior but >> implement it through LDAP? >> >> >> >> >> Warron French, MBA, SCSA >> >> >> ----- Forwarded by Warron S French/Emp/Aerospace/US on 12/23/2013 07:42 >> AM >> ----- >> >> From: Net Warrior <netwarrior863(a)gmail.com&gt; >> To: openldap-technical <openldap-technical(a)openldap.org&gt;, >> Date: 12/23/2013 07:36 AM >> Subject: host Attribute >> Sent by: openldap-technical-bounces(a)OpenLDAP.org >> >> >> >> Hi guys. >> I'm trying to restric some user to login to some server, googling >> around I found that some things can be donde with the host attribute, >> this is what I got. >> >> A user with host attribute and and a FQDN server on it >> server.comap.com , the pam_check_host_attr set to yes in the client >> configuration ( pam_ldap.conf / ldap.conf ), If I understand well the >> user can now login to that server, in my tests I can confirm that, >> what I notice is that the user can loging to all the other servers in >> the farm whaterver I set to the host attribute >> >> I read this article as a reference: >> thornelabs dot net >> /documentation/2013/02/01/linux-restrict-server-login-via-ldap-hostobject-objectclass-and-host-attribute.html >> >> Please, can someone shed some light on this or clarify what I'm trying >> to to is correct or wrong? >> >> Thanks for your time and support >> Regards >> >> >> >> Low Sensitivity/Aerospace Internal Use Only > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/