Re: Limiting host access

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 21 November 2011 09:00:23 Jayavant Patil wrote:
> Hi,
> 
>    I am just storing the user related information in the directory.
>    e.g.
>    My .ldif file contents are as follows:
> 
>    dn: uid=ldap_5,ou=People,dc=dc,dc=com
> uid: ldap_5
> cn: ldap_5
> sn: ldap_5
> mail: ldap_5@dc.com
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowLastChange: 13998
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 513
> gidNumber: 513
> homeDirectory: /lustre/home/ldap_5

One method would be to add the hostObject objectclass, from ldapns.schema 
(shipped with pam_ldap source), and add a host attribute with the 'hostname' 
of the host for each host the user should be allowed to log in to, and set 
'pam_check_host_attr yes' in /etc/ldap.conf (see 'man pam_ldap').

Of course, this depends on which pam module you are using, and there are other 
options.


> On Mon, Nov 21, 2011 at 12:05 PM, Jayavant Patil
> <jayavant.patil82@gmail.com
> 
> > wrote:
> > 
> > Hi,
> > 
> >   I want to restrict login access to some selected client nodes (by
> > 
> > default, openldap allows user access to all client nodes). I have googled
> > for this, tried many different configurations like host
> > attribute,hostObject class etc. but failed to get the required.
> > 
> > On Mon, Nov 21, 2011 at 11:47 AM, Bill MacAllister 
<whm@stanford.edu>wrote:
> >> --On Monday, November 21, 2011 11:06:21 AM +0530 Jayavant Patil <
> >> 
> >> jayavant.patil82@gmail.com> wrote:
> >>  Hi,
> >>  
> >>>   I am using openldap-2.4.19-4 on fedora 12 machine. My question is as
> >>> 
> >>> follows:
> >>>   How to restrict a user access to some client nodes?


Regards,
Buchan