Hi everybody, I'm not a real pro in ldap yet, so I have a question about ou' s.
I have here the main ou=people, where all users are in. Now I want to create a 2nd ou=radar. The goal is that I have a 2nd ou with just a few users, for authentication on some special servers. I want to have that seperated.
My question is, if I can link or combine some users from ou=people to ou=radar, that I don't have to create the user a 2nd time?
regards marc
Instead of that, look at changing the pam rules to include/exclude users based on groups or attribs. libnss-ldap (pam_ldap?) has a pam_filter line that lets you specify a filter for that host based on an ldap search (ie: pam_filter host=radar would only allow users with a host attribute set to radar). For a more scalable way, look at pam_access.so (in your account section of pam configs), it uses a config much like the normal access.conf file, but matches it against ldap, so you can setup groups in ldap and check membersips there. Another way is to setup checks using pam_succeed_if.so. Gooogle those options and it should turn up a bunch of suggestions and how-tos.
-T
Hi everybody, I'm not a real pro in ldap yet, so I have a question about ou' s.
I have here the main ou=people, where all users are in. Now I want to create a 2nd ou=radar. The goal is that I have a 2nd ou with just a few users, for authentication on some special servers. I want to have that seperated.
My question is, if I can link or combine some users from ou=people to ou=radar, that I don't have to create the user a 2nd time?
regards marc
openldap-technical@openldap.org
-
Mackey, Theral -
Marc Mertes