Instead of that, look at changing the pam rules to include/exclude users based on groups
or attribs. libnss-ldap (pam_ldap?) has a pam_filter line that lets you specify a filter
for that host based on an ldap search (ie: pam_filter host=radar would only allow users
with a host attribute set to radar). For a more scalable way, look at pam_access.so (in
your account section of pam configs), it uses a config much like the normal access.conf
file, but matches it against ldap, so you can setup groups in ldap and check membersips
there. Another way is to setup checks using pam_succeed_if.so. Gooogle those options and
it should turn up a bunch of suggestions and how-tos.
I'm not a real pro in ldap yet, so I have a question about ou' s.
I have here the main ou=people, where all users are in.
Now I want to create a 2nd ou=radar.
The goal is that I have a 2nd ou with just a few users,
for authentication on some special servers.
I want to have that seperated.
My question is, if I can link or combine some users from ou=people
to ou=radar, that I don't have to create the user a 2nd time?