[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Users from /etc/passwd, passwords from LDAP?
Quoting "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>:
> This is likely a FAQ on the nss_ldap@padl.com mailing list.
> (likely nss_ldap takes as a parameter a search filter).
The theory (I haven't bothered to try yet) is to utilise the 'pam_filter'
in '/etc/pam_ldap.conf'...
In theory you can have a object 'loginhost' or the like. That is, you want
user 'xyz' to be able to login to host 'athena' and 'barrabas':
dn: uid=xyz,...
loginHost: athena
loginHost: barrabas
And on host 'athena' you would enter in /etc/pam_ldap.conf:
pam_filter loginHost=athena
And on 'barrabas':
pam_filter loginHost=barrabas
As said, this is theory (which I picked up here a couple of months ago). You
will have to make your own objectClass to use this 'loginhost' though...
> At 03:40 PM 1/29/01 -0800, Jeffrey W. Baker wrote:
> >I wonder if it is possible to have the setup that I desire. I have some
> >Linux and Solaris machines, nss_ldap from padl.com, and OpenLDAP 2.0. I
> >wish to have all of my user information in the LDAP directory, which I
> >have already done. I also want my users to be authenticated against the
> >userPassword in LDAP, which I have also already done.
> >
> >The part that I find tricky is that I don't want every user in LDAP to be
> >able to login to every machine. Let's say I have 500 users, and only 10
> >of them should be logging in to a particular box. But I still want the
> >usernames, passwords, and groups coming from LDAP.
> >
> >I would love to hear about an example of someone having already done this.
> >
> >Regards,
> >Jeffrey Baker
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden