On Tuesday 23 June 2009 05:28:31 Olivier Nicole wrote:

...

I have many Windows 2003/Linux Server, and a OpenLDAP server as auth server, I want setup ACL in OpenLDAP server, maybe user A allowed to login in windows-1 server and Linux-1 server, and user B allowed to login in windows-2 server and Linux-2 server. How to setup it in OpenLDAP server?

The question is not how to set-up LDAP, but how to setup your Windows and Linux servers.

For example I use in nss_ldap.conf (Unix)

nss_base_passwd ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=samba

pam_ldap also supports the 'host' and "authorizedService" attributes, if you rather want to do per-user per-server authorization. Please see the nss_ldap documentation regarding the pam_check_host_attr and pam_check_service_attr options.

(filtering users out at the nss level may be a bit drastic, as file ownerships might not be resolved correctly etc. Also, since pam configuration can be changed per-application, it is more flexible)

And in smb.conf (samba)

I believe Samba supports a similar means to the pam_ldap host attribute, namely storing the "allowed workstations". This can be modified using the "User manager for domains" tool from a Windows PC, and I believe this ends up modifying the sambaMungedDial attribute.

This will only work if you have a samba domain controller, and users log in to the domain. Further discussion of the samba and windows-specific aspects really belongs on the samba lists.

Regards, Buchan