I have a scenario where I want to setup two LDAP groups where one group can access a file on the server while the other one cannot after they login. Can some PAM tweaks make this happen if not on the ldap side?
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Anton Chu Sent: Wednesday, November 10, 2010 3:23 PM To: openldap-technical@openldap.org Subject: Attributes for filtering OS logins
I have a scenario where I want to setup two LDAP groups where one group can access a file on the server while the other one cannot after they login. Can some PAM tweaks make this happen if not on the ldap side?
------------------------------
Anton,
Without more info about the system, it sounds like you need to consider group memberships and set group permissions.
Group A - allowed Group B - disallowed
Protected files permissions: -rwxrwx--- (user) a-only
The above example doesn't take into consideration the owernship or permissions of its containing dir. http://content.hccfl.edu/pollock/aunix1/filepermissions.htm
This isn't an LDAP or PAM issue - it's a local file permissions issue; unless I've totally misunderstood your question...
- chris
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Anton Chu wrote:
I have a scenario where I want to setup two LDAP groups where one group can access a file on the server while the other one cannot after they login. Can some PAM tweaks make this happen if not on the ldap side?
Yes. See the man page for pam_ldap:
pam_groupdn <groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. pam_member_attribute <attribute> Specifies the attribute to use when testing a user’s membership of a group specified in the pam_groupdn option.
Disregard my response below. I misread the problem statement. I thought the you were trying to filter logins based on an attribute, which is what the subject line said.
Prentice Bisbal wrote:
Anton Chu wrote:
I have a scenario where I want to setup two LDAP groups where one group can access a file on the server while the other one cannot after they login. Can some PAM tweaks make this happen if not on the ldap side?
Yes. See the man page for pam_ldap:
pam_groupdn <groupdn> Specifies the distinguished name of a group to which a user must belong for logon authorization to succeed. pam_member_attribute <attribute> Specifies the attribute to use when testing a user’s membership of a group specified in the pam_groupdn option.
openldap-technical@openldap.org